A leading UK university has come under fire after reportedly failing to notify those affected after hackers breached its administrative network last year.
Warwick University, a member of the Russell Group comprising the country’s top 24 universities, suffered the attack when an employee unwittingly installed malware. That reportedly allowed hackers to lift personal information on students, staff and volunteers taking part in research studies.
However, the impact of the incident was compounded because data protection at the university was so poor that the institution couldn’t identify which information had been stolen, according to Sky News.
Registrar and executive lead for data protection, Rachel Sandby-Thomas, apparently took the decision not to inform those whose data was stored on the admin network about the incident. It’s unclear whether regulator the Information Commissioner’s Office (ICO) was told, as the incident would seem to fall under the remit of the GDPR.
However, a voluntary audit of the university by the ICO, published in March, revealed multiple failings of processes and procedures in governance and accountability, security of personal data and training and awareness. The latter category was described as having a “very limited” assurance rating.
The university apparently disbanded the data protection privacy group (DPPG) that Sandby-Thomas chaired after the ICO suggested she be replaced, admitting that she didn’t have the “specialist skill set and experience” needed, according to the news report.
That’s despite the individual having been the executive lead for IT and data protection at the Uni since 2016.
An internal email seen by the news channel also revealed that Sandby-Thomas tried to block the voluntary ICO audit until she was told that the alternative was a “compulsory less friendly one.”
Jake Moore, cybersecurity specialist at ESET, argued that any cover-up of data breach incidents is likely to do more harm than good.
“It is far better to own up to attacks, especially given that constant attacks against organizations from cyber-criminals across the world mean that breaches will inevitably happen,” he added. “Many people are more forgiving now and tend to appreciate when organizations own up at the earliest opportunity and even show where there have been failings.”