Reports show Warwick Uni network was hacked in the last year, a breach kept secret from students and staff

The executive lead for data protection at Warwick has now been replaced


According to a report from Sky News, the University of Warwick’s network was hacked last year, with the breach kept secret from both staff and the student body.

Three weeks ago, results of an audit showed that the university’s cyber security system could not detect nor prevent breaches. Now, information has come to light showing that the IT system had been accessed and that the violation was kept secret from the affected individuals and organisations.

 

A member of staff had installed remote-viewing software, which allowed for hackers to access the system. They could then steal sensitive personal information on everyone from students to staff to volunteers participating in research studies.

As Sky News reported prior, the Warwick internal report showed that the cyber security protections were so weak that the university cannot identify what data was stolen. Sources also said that there had been multiple data breaches, which would have put a great amount of the Warwick community at risk.

Image may contain: Architecture, Building, Pergola, Door, Patio, Porch, Human, Person

Rachel Sandby-Thomas is the registrar and executive lead for data protection at Warwick, and is responsible for IT services. It has been reported that research bodies and individuals whose data may have been compromised were not informed by her that their data had been at risk and potentially breached.

The university did not give comment on this remark.

 

In March, the Information Commissioner’s Office (ICO), a data protection watchdog, published an executive summary of their audit, which was the first to inform students and staff of the security risks they had been vulnerable to.

The regulator of the ICO’s audit reportedly recommended that Sandby-Thomas be removed from her position as chair of the university’s data protection privacy group (DPPG), advising that the chair should be a person with data protection expertise.

 

“The registrar fully agreed with the report’s finding that we should give those areas of responsibility to someone with a specialist skill set and experience,” the university said.

Ms Sandby-Thomas has held her role at Warwick as executive lead for IT and data protection since 2016, during which there have been numerous security incidents.

 

Since the audit from the ICO, Sandby-Thomas has disbanded the DPPG.

“As previous structures clearly did not deliver all the change and improvements we had sought in this area, it is no surprise that we also sought to change and improve these structures,” the University confirmed.

“We have therefore introduced two new committees to provide enhanced oversight and advice which bring in a wealth of talent including one of Europe’s leading cyber security professors.

“We have also unsurprisingly, and for the same reasons, made changes to the operation and focus of the management and administrative team for that area of work, but all of those staff remain employed by the university.”

This is despite a multitude of sources at the university who told Sky News that ongoing restructuring is expected to involve redundancies.

Image may contain: Urban, Convention Center, Architecture, Human, Person, Building

Warwick University has since hired a new chief information and digital officer, reporting directly to Vice Chancellor Stuart Croft.

Sky News reported also that they have seen internal email in which the registrar joked about the cyber security audit, telling staff it was ‘tomato coloured’ and when asked whether their data was at risk, replied “If I told you what, I’d have to kill you”.

In the same email, Sandby-Thomas also apparently acknowledged that she did attempt to refuse to allow the ICO’s voluntary audit before she was informed that the alternative would be a “compulsory less friendly [audit]”.

The university said: “The registrar’s comments simply confirmed and supported the more formal communications to staff that there were a number of areas, in both our own analysis and the ICO audit, that clearly should be red flagged.

“They also confirmed the ICO’s and our own assessment that only the summary audit report should be public as the publication of the full report could potentially undermine the work to implement its actual recommendations.”