beeboys - stock.adobe.com

A question of trust: University and supplier on the hook for data breach

Data on students at the University of York was stolen in a ransomware attack on a supplier two months ago, and the response of both parties raises serious questions

The importance of guarding against cyber security threats emanating from your organisation’s suppliers and partners, as well as against threats to your own IT estate, has once again been highlighted in painful fashion, this time by the University of York’s disclosure that an unconfirmed amount of data was stolen from a third-party cloud service in a ransomware attack back in May.

The breach was first uncovered at Blackbaud, a US-based supplier of cloud customer relationship management (CRM) services to higher education providers, healthcare organisations and non-profits, of which York is a customer. Blackbaud said that it “successfully prevented” the cyber criminals from blocking its system access and fully encrypting its files, and that it was able to throw them out.

In a statement that included the familiar platitudes about taking data security “seriously”, Blackbaud, by its own admission, said it not only paid the ransom demand, but took the criminals’ word that they had destroyed the data at face value, and went on to disclose that the cyber criminals had removed a copy of a subset of data from its self-hosted environment.

It then waited about two months to inform York, which uses Blackbaud’s services to “record engagement with members of the university community, including alumni, staff and students, and extended networks and supporters”.

Although the stolen data contains no encrypted data, passwords or financial details, it could include basic personal information, student numbers, addresses and contact details, course details, records of engagement with university fundraising or other activities, and professional details – all of which are highly valuable in a targeted phishing attack.

In its statement, York said it had accepted Blackbaud’s assurances that the data had been destroyed on payment of the ransom, but nevertheless it is warning its community to remain vigilant, and has notified the Information Commissioner’s Office (ICO).

“There is no need for our community to take any action at this time,” it said. “As a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.

“We will continue to work with Blackbaud to investigate this matter, and we continue to take advice from our data protection officer and IT security team. We very much regret the inconvenience that this data breach by Blackbaud may have caused.”

The dangers of trust

Leaving aside whether or not Blackbaud was right to pay the ransom – virtually every single authority says do not, but one must accept this is a decision that is down to the victim – the response to this raises fundamental questions about trust in cyber security.

In this instance, one must consider both Blackbaud’s and York’s apparent trust in malicious cyber criminals, which is ill-advised, and York’s trust in Blackbaud’s ability to behave with responsibility and accountability, which is a rather more reasonable expectation.

Paul Bischoff, privacy advocate at Comparitech, said: “There is no guarantee that the criminals who stole the data followed through and destroyed it. University of York staff and students should be on the lookout for targeted phishing attempts.”

Forcepoint principal security analyst Carl Leonard said: “The fact that a ransom was paid makes this situation especially troubling – no organisation should be forced into the position of handling over money to cyber criminals, and it shows the university and its partners have much to improve in how they store, manage and protect their sensitive data.”

Javvad Malik, security awareness advocate at KnowBe4, said Blackbaud also needed to come clean on why it had taken so long to inform York. “While it’s good and required that the university has informed the affected individuals, the fact that individuals were not made aware until almost two months after the initial breach is worrying,” he said. “It gives criminals a large window of opportunity to monetise the stolen information.”

Paul Edon, senior director of technical services for Europe, Middle East and Africa (EMEA) at Tripwire, said York was not incorrect to have trusted a third party to look after its data, but given the facts of the hack and the delayed response, it was clear there was a disconnect between the two organisations.

“Many universities employ third parties to help manage and secure their systems,” he said. “It is imperative that these third parties are aligned with the university in their security objectives and are regularly audited to ensure they are meeting the service-level agreements. Any misalignment or failure to meet agreed service levels can result in serious loophole in the overall security of the institution.”

York’s path forward

Edon said that while adopting new security systems could also help York protect its assets, it really needed to now concentrate on a “solid cyber security foundation” to minimise future risk, paying particular attention not only to the technology fundamentals – such as antivirus, identity and access management – but, more pertinently in this case, to educating and training its staff and students to spot and mitigate threats on their own.

Forcepoint’s Leonard said: “The traditional rules-based approach to security is far too reactive and slow to respond when it comes to threats like ransomware. Malicious actors are constantly searching for vulnerabilities and ways into networks, and it only takes one opportunity to give them a way in.

“A paradigm shift in security is needed towards user behaviour, rather than the threats themselves. It’s only by doing this that the signal can be separated from the vast amounts of noise.”

Webroot senior threat research analyst Kelvin Murray said universities were particularly tempting targets for hackers, and the sprawling nature of such institutions, with multiple faculties and facilities, makes IT admin and security a particular challenge. Then there is the matter of valuable research data that needs to be protected, particularly from state-backed threat actors.

“A tricky issue is that precious data is on individual students’ laptops/desktops as well as university servers, and the monitoring of access and the massive benefit of stolen credentials pose real difficulties for the IT departments,” said Murray. “A highly tied-down environment doesn’t match with the knowledge-sharing culture of universities.

“To mitigate future attacks, IT teams must properly audit all machines connected to their networks and the data they hold. Security awareness training should be implemented for staff and students from day one, ensuring that they are vigilant in scrutinising the types of emails they receive.”

Read more about supply chain attacks

  • Supply chain security risks can wreak havoc if measures are not taken to deter cyber attackers from exploiting a supplier’s security gaps to target another firm.
  • Threat actors conducted an unprecedented supply chain attack by using malware known as Octopus Scanner to create backdoors in open source projects, which were uploaded to GitHub.
  • Avast was able to stop an attempted supply chain attack targeting its CCleaner software, but experts say all enterprises should be wary of similar supply chain attacks.

Read more on Hackers and cybercrime prevention