Incident: University Cyber-Defences Breached: Data Compromised by Hackers

Published Date: 2019-04-03

Postmortem Analysis
Timeline 1. The software failure incident of hackers beating university cyber-defences in the UK occurred in 2019. [83817]
System The software failure incident reported in the article was related to cyber-security defences being breached by hackers during penetration testing at UK universities. The systems that failed in this incident were: 1. Cyber-security defences at UK universities [83817]
Responsible Organization 1. Hackers [83817]
Impacted Organization 1. UK universities and research centers [83817]
Software Causes 1. Lack of adequate cyber-security knowledge, skills, and investment in UK universities [83817] 2. Vulnerabilities in university cyber-defences allowing hackers to access personal data, finance systems, and research networks [83817] 3. Sophisticated cyber-attacks such as spear phishing leading to breaches in university systems [83817]
Non-software Causes 1. Lack of adequate cyber-security knowledge, skills, and investment in UK universities [83817] 2. Use of spear phishing techniques by hackers to deceive university staff and students [83817] 3. Insufficient protection of sensitive research data and personal information by universities [83817]
Impacts 1. Personal data, finance systems, and research networks were accessed by hackers within two hours, leading to a 100% success rate in breaching cyber-defences at UK universities [83817]. 2. The incident highlighted the lack of adequate cyber-security knowledge, skills, and investment in some UK universities, posing a risk of disastrous data breaches or network outages [83817]. 3. Sensitive research data held by universities was targeted by hackers, with the potential for intellectual property theft by foreign governments and criminal actors [83817]. 4. The incident underscored the need for universities to ensure the safety of online systems and protect the vast amount of data they accrue, placing a burden of responsibility on institutions [83817].
Preventions 1. Implementing regular and thorough cybersecurity training for university staff and students to increase awareness of phishing attacks and other common cyber threats [83817]. 2. Enhancing investment in cybersecurity knowledge and skills within universities to ensure adequate protection against evolving cyber threats [83817]. 3. Utilizing advanced cybersecurity measures such as multi-factor authentication, encryption, and intrusion detection systems to strengthen the defense against cyber-attacks [83817]. 4. Collaborating with cybersecurity agencies like the National Cyber Security Centre (NCSC) to improve security practices and receive guidance on protecting against cyber threats [83817].
Fixes 1. Enhancing cyber-security knowledge, skills, and investment in UK universities to improve cyber-defences [83817]. 2. Implementing stricter regulations and setting minimum requirements for cyber-security in universities to protect sensitive data [83817]. 3. Collaborating with organizations like Jisc and the National Cyber Security Centre to improve security practices and protect against cyber-threats [83817].
References 1. Jisc (formerly the Joint Information Systems Committee) and the Higher Education Policy Institute (Hepi) [Article 83817] 2. National Cyber Security Centre (NCSC) [Article 83817] 3. GCHQ intelligence service [Article 83817] 4. Joint Committee on the National Security Strategy [Article 83817] 5. Universities UK [Article 83817]

Software Taxonomy of Faults

Category Option Rationale
Recurring unknown The articles do not provide specific information about a software failure incident happening again at either one organization or multiple organizations. Therefore, the information to answer this question is 'unknown'.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the article where ethical hackers were able to successfully breach the cyber-defences of UK universities during simulated attacks. The tests conducted by Jisc's team of ethical hackers revealed that they were able to access personal data, finance systems, and research networks within a short period of time, highlighting a failure in the design of the cyber-security systems [83817]. (b) The software failure incident related to the operation phase is evident in the same article where it is mentioned that the simulated attacks were able to reach student and staff personal information, override financial systems, and access research databases within a short timeframe. This indicates a failure in the operation or misuse of the cyber-security systems in place at the universities [83817].
Boundary (Internal/External) within_system (a) within_system: The software failure incident in the articles is primarily within the system. The failure was due to the lack of adequate cyber-security measures within the UK universities and research centers. Ethical hackers were able to breach the cyber-defenses of these institutions in simulated attacks, accessing personal data, finance systems, and research networks. The tests conducted by Jisc showed a 100% success rate in breaching the cyber-defenses, indicating a failure within the system to protect against such attacks [83817]. (b) outside_system: There is no explicit mention in the articles of the software failure incident being caused by contributing factors originating from outside the system. The focus of the incident is on the vulnerabilities within the system itself, such as inadequate cyber-security measures, susceptibility to phishing attacks, and the need for improved security practices within the universities and research centers.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: The article reports on a simulated cyber-attack conducted by ethical hackers on UK universities' cyber-defences. The tests were carried out by Jisc's in-house team of ethical hackers, and they were able to access personal data, finance systems, and research networks within two hours. The attacks were successful in breaching the cyber-defences in every case, highlighting vulnerabilities in the systems [83817]. (b) The software failure incident occurring due to human actions: The article mentions that one of the most effective approaches used by the ethical hackers in the simulated cyber-attacks was "spear phishing." Spear phishing involves sending emails that appear to be from a known or trusted source but are actually a way to conceal an attack, such as downloading malware. This tactic relies on human interaction, as individuals need to be tricked into clicking on malicious links or downloading harmful attachments. Therefore, human actions played a role in the success of the cyber-attacks on the universities' systems [83817].
Dimension (Hardware/Software) software (a) The articles do not provide information about a software failure incident occurring due to contributing factors originating in hardware [83817]. (b) The software failure incident reported in the articles is related to cybersecurity breaches and attacks carried out by hackers on UK universities' systems. The hackers were able to breach the cyber-defenses of universities, accessing personal data, finance systems, and research networks. The simulated attacks, known as "penetration testing," showed a 100% success rate in getting through the cyber-defenses, with hackers able to access sensitive information within a short period of time. The incident highlights the vulnerability of university systems to cyber-attacks and the need for improved cybersecurity measures [83817].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident reported in the articles is malicious in nature. The incident involved hackers conducting simulated cyber-attacks on UK universities, with the objective of obtaining "high-value" data within a short period of time. The attacks were successful in accessing personal data, finance systems, and research networks, indicating a deliberate attempt to breach the cyber-defences of the universities [83817]. The use of tactics like "spear phishing" to deceive users and gain unauthorized access further supports the malicious intent behind the software failure incident.
Intent (Poor/Accidental Decisions) unknown The articles do not provide information specifically related to a software failure incident caused by poor decisions or accidental decisions. Therefore, the intent of the software failure incident in this context is unknown.
Capability (Incompetence/Accidental) accidental (a) The articles do not specifically mention a software failure incident occurring due to development incompetence. (b) The articles highlight a software failure incident related to accidental factors. The incident involved simulated cyber-attacks, known as "penetration testing," conducted by ethical hackers on UK universities. Despite the universities' cyber-defences, the ethical hackers were able to breach the systems within a short period, accessing personal data, finance systems, and research networks. The breaches were achieved through tactics like "spear phishing," where emails appeared legitimate but were used to conceal attacks such as downloading malware [83817].
Duration unknown The articles do not mention any specific software failure incident being either permanent or temporary.
Behaviour omission, value, other (a) crash: The articles do not specifically mention a software failure incident related to a crash where the system loses state and does not perform any of its intended functions. (b) omission: The articles mention a software failure incident related to omission where the system omits to perform its intended functions at an instance(s). Ethical hackers were able to obtain "high-value" data within two hours in every case, indicating a failure of the system to prevent unauthorized access and protect sensitive information [Article 83817]. (c) timing: The articles do not mention a software failure incident related to timing where the system performs its intended functions correctly but too late or too early. (d) value: The articles mention a software failure incident related to value where the system performs its intended functions incorrectly. Ethical hackers were able to access personal data, finance systems, and research networks, indicating a failure of the system to protect this information from unauthorized access [Article 83817]. (e) byzantine: The articles do not mention a software failure incident related to a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. (f) other: The other behavior observed in the software failure incident is the system's vulnerability to sophisticated cyber-attacks, such as spear phishing, which led to the breach of cyber-defenses and unauthorized access to sensitive information [Article 83817].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident described in the articles pertains to cyber-attacks on UK universities, where hackers were able to access personal data, finance systems, and research networks. The attacks resulted in a breach of sensitive information, including student and staff personal information, financial systems, and research databases [83817]. The incident highlighted the potential risk of a "disastrous data breach or network outage" due to inadequate cybersecurity measures at universities [83817]. Additionally, universities were noted to hold masses of data on sensitive research, making them targets for cyber-attacks aimed at stealing intellectual property and gaining a technological advantage [83817].
Domain knowledge The software failure incident reported in the articles is related to the **knowledge** industry, specifically universities and research centers. The incident involved a test of UK university defenses against cyber-attacks, where hackers were able to obtain "high-value" data within two hours, including personal data, finance systems, and research networks [Article 83817]. The simulated attacks were carried out on more than 50 universities in the UK, highlighting the vulnerability of institutions holding sensitive research data and personal information about students. The incident underscores the importance of cybersecurity in the knowledge industry to protect valuable research and personal data from cyber threats.

Sources

Back to List