The University of Greenwich has suffered its second data breach of the year after students’ personal details were leaked online by a hacker, according to reports.
The black hat appears to have compromised the university’s website and database via a simple SQL injection attack, Oren Yaakobi from security vendor Hacked-DB told the Evening Standard.
This apparently enabled him to deface a web page and insert a link to the compromised data, hosted on the dark web.
Alongside the link was the following message:
“So due to my elite skills and e-fame, you guys decided to kick me out of University because you couldn’t handle the beast. In response to this, I’ve used the skills I’ve obtained to show you how good I actually am. Please let me come back.”
Yaakobi told the paper that over 21,000 email accounts and log-ins had been exposed, as well as personal information including full names and contact details, information on students with disabilities, and even a spreadsheet containing details of medical problems pertaining to some staff.
Even details of external students and those that had merely applied for a course were apparently leaked online.
A university spokeswoman confirmed that there had been “a breach of the IT security system in the Faculty of Architecture, Computing and Humanities.”
She added that staff and students had been urged to change their passwords as a precaution.
The breach follows an incident in February when the university erroneously posted the personal details of postgraduate students – including information on mental health and other medical conditions – on its public-facing website.
At the time, secretary Louise Nadal described the incident as an “unprecedented data breach for the university.”
Digital Guardian EMEA general manager, Luke Brown, argued that organizations need to learn from their mistakes.
"The University of Greenwich may have plugged a few security holes after it’s breach in February, but this latest attack highlights the challenge that organizations face securing their data from a wide range of different threats and threat actors,” he added.
“Security experts say that it is no longer enough to focus on guarding the perimeter. If an attacker is determined enough, they will find a hole and so it is essential to protect what matters most – your sensitive data.”
White Hat Security’s VP of the Threat Research Center, Ryan O’Leary, claimed that around 6% of websites have at least one SQL injection vulnerability.
"SQL injection is not the most difficult attack to execute. In fact, it’s one of the very first skills you learn when trying to attack a site, because of the prevalence of the flaw and ease of exploitation,” he argued.
“Companies need to run a thorough vulnerability assessment and fix these critical, yet easy-to-exploit, vulnerabilities."