back to article Man arrested over UK's Lancaster University data breach hack allegations

Cops have cuffed a 25-year-old man from Bradford on suspicion of committing Computer Misuse Act crimes after Lancaster University suffered a data breach affecting more than 12,000 students and applicants. In a statement the National Crime Agency said: "Officers from the NCA's National Cyber Crime Unit arrested the man on …

  1. Anonymous Coward
    Anonymous Coward

    I wonder

    "We are further informed that the attackers' route in was through the compromise of a staff account with administrator credentials,"

    How much of a "hack" this was, or if it was social engineering, or said member of staff being lax...

    Because it doesn't sound like there's a system vulnerability that has been exploited. I wonder what is happening with the staff member whose account was compromised?

    1. Anonymous Coward
      Anonymous Coward

      Re: How much of a "hack"

      Social engineering is hacking. You're hacking the weakest link in the security fence. Never regard hacking as solely an exercise conducted against computers. Hackers with serious targets hack organisations, buildings, people, and, finally, networks and computers.

      The better they hack the earlier items in that list, the easier it is to hack the later items. Read Chris Hadnagy's "Social Engineering: The Art of Human Hacking" for insight.

      1. Dr Dan Holdsworth Silver badge
        Boffin

        Re: How much of a "hack"

        About time the old 2FA for login was rolled out, eh?

      2. Anonymous Coward
        Anonymous Coward

        Re: How much of a "hack"

        Not really interest in you sidelining this for a semantics debate... Any thoughts on the account compromised, the method and the staff member who owned the account?

    2. lglethal Silver badge
      Go

      Re: I wonder

      "I wonder what is happening with the staff member whose account was compromised?"

      I would expect there being asked some serious questions about why they needed to have admin priviliges in the first place (assuming this wasnt someone in IT, although in that case, the questions should be why they were using their admin priviliges and not a regular account when they got phished).

      However, I find as a rule, people are pretty mortified when they find out they were phished, and so you dont really need to put the boot in. You just get them on a training course immediately, it tends to work wonders on their ability to take it in. There are of course, some that never learn of course...

    3. Cuddles Silver badge

      Re: I wonder

      "Because it doesn't sound like there's a system vulnerability that has been exploited."

      Humans are a system vulnerability.

      1. Anonymous Coward
        Anonymous Coward

        Re: I wonder

        So you agree it's the end user who got socially engineered?

  2. Doctor Syntax Silver badge

    "Evidently someone wasn't listening."

    And evidently someone else was.

    I wonder if the account phished this time was one JISC breached on their test.

    1. Alan Brown Silver badge

      "I wonder if the account phished this time was one JISC breached on their test."

      Based on what I see in my own $orkplace - I don't.

      And these same people get offended/start making grievance cases when you call them out on it.

      I'm not kidding about this either - We had two staffers _deliberately_ disable AV software which was preventing them opening malware that had come in via email on the basis that "It might be something important" - and they did it on multiple occasions.

      After one's third offence - and giving her a dressing down for causing us over a day's lost work a formal complaint was filed on the basis of "Speaking to her as if she was a spoiled naughty child and making her cry" - her excuse at the time was "I knew it might be infected but it's my duty to open everything to see if it's important, no matter what and the Antivirus software was stopping me doing that"

      These are the users who give you 65 million reasons to ensure that they CAN'T mess with the systems - although personally I'd prefer to detect them attempting it, give one warning and make the second one security appearing at their desk to escort them off the premises.

      1. Anonymous Coward
        Anonymous Coward

        Two words which strike fear into the heart of any IT person working in Higher Education:

        "Acadameic Freedom"

        aka: "I'm an important[1] person so you do what I tell you"

        [1] I believe I am important.

        1. TRT Silver badge

          Is that related to Macadamiac Freedom, where you let the nuts run the asylum?

      2. low_resolution_foxxes

        Hallelujah, praise the lord, these users are often the worst co-workers.

        I worked with one who can probably best be described as 'mid level sales admin', with the personality of an antisocial psychopathic CEO. She did exactly the above and the whole business had to shutdown for 4 days to recover from an encrypted trojan of some kind. I recall the IT team found less than 10 Malwarebyte items of interest on the 6 other PCs, but hers had some daft number in excess of 25k and hundreds of actual bots.

  3. TRT Silver badge

    And it's based on anecdotes like this...

    that IT departments in universities say things like "no, staff members can't have admin rights on their devices, there's no need, and if there is we have the keys to the kingdom..." whilst apparently forgetting that the keys to the kingdom are themselves vulnerable to theft or abuse. It wouldn't surprise me if the breach was closer to home than they would like to admit.

    1. hmv Bronze badge

      Re: And it's based on anecdotes like this...

      Quite possibly.

      But it's a bit of leap to assume access to student data is controlled by machine admin rights.

      And you do know that removing admin rights from users is the first item in the list of securing any site? Not just universities.

      1. TRT Silver badge

        Re: And it's based on anecdotes like this...

        It would be a heck of a leap to connect access to student records with pwn'ing a researcher's desktop machine. Yet this is what I find so often - you can't have admin rights on your machine because "we need to secure the site and that's the first item in the list" whilst calculating the cost of a breach like this and finding it outweighs the inconvenience and cost to staff of not having admin rights. Whereas this, I would argue, is not an appropriate things to do in all cases. Universities are more than just big schools - they have teaching, but often they also have research, and often other roles such as curators of knowledge and wisdom access points for communities (virtual and physical). The balancing act, I feel, is somewhat disjointed, as if you have two kids on each end of a seesaw, but they're actually two different seesaws. You could be doing yourself a disfavour by being too anal about security instead of being smart and securing that which needs to be secure. Layered and appropriate defence instead of one big castle where once you're inside you can run unchecked.

        1. Korev Silver badge
          Boffin

          Re: And it's based on anecdotes like this...

          Many universities have medical schools, biology departments etc and therefore have clinical data knocking about. Others will have collaborations with defence firms. There are many types of data which will need securing.

          1. TRT Silver badge

            Re: And it's based on anecdotes like this...

            Indeed. Having access to the data, though, is key to the research activity, so authorised people will have to have access, and THIS is always going to be a point of attack. Far better to educate the end users and work with them to derive a workable security strategy than to lock them out in ways that will frustrate them and cause them to find ways of getting around restrictions that they see as unnecessarily cumbersome or restrictive. In other words, if it's the data that needs to be secure, then secure the data properly and not everything else as well.

    2. Anonymous Coward
      Anonymous Coward

      Re: And it's based on anecdotes like this...

      You're assuming that there's just one central IT dept running everything for the business. Speaking from first hand experience, some HE places are nothing like this, with IT devolved across the institution. There may not even be just one "central" IT department, but several. (Yeah, go figure..)

      1. dotdavid

        Re: And it's based on anecdotes like this...

        As a Lancaster graduate, albeit of quite a few years ago now, I can confirm that it only has the one IT department (ISS).

  4. Claverhouse Silver badge

    Never heard of Lancaster Uni, yet as befits a 1964 foundation all the buildings look profoundly fugly.

    https://en.wikipedia.org/wiki/Lancaster_University

    .

    1. Daedalus Silver badge

      As a Yorkie I had the (dis)pleasure of going to Lancaster for their biannual hosting of the annual Roses Weekend. Now, at any Northern uni, you get the "everybody buggers off down to London on Friday" syndrome. We get it. They couldn't get into UCL, LSE or Oxbridge, but they're not going to stay up north for a second longer than necessary.

      At Lancaster this is turned up to 11, because the campus is utterly isolated on a hill. In rainy Lancs. So the festive weekend turned out to be a lot of wandering the deserted campus around looking for an open bar, cafeteria etc. Worst weekend ever.

      1. MrMerrymaker Bronze badge

        I actually went as a student and found it lovely. Handsome varied buildings - not all of em great, but some of them nice.

        And what you see as being "isolated" I found as open and rolling and natural.

        Can't comment on a perceived student population issue as I went in the early 2000s and I'm northern anyway

      2. mark4155

        As a Lancastrian who left high school with no qualifications or any real direction I'm deeply indebted to Lancaster University for their outreach classes that made me who I am.

        The university gave me the confidence to reply to you and suggest you are blindingly wrong.

        For your record, the bars are open every day. Seek and you shall find.

        Toodle pip.

    2. Anonymous Coward
      Anonymous Coward

      You've never heard of it and you somehow think that you're not in the wrong but the uni is? Nice mind you have there...

  5. Yet Another Anonymous coward Silver badge

    State sponsored ?

    Obviously an attack by t' People's Army of Yorkshire on the hated Lancastrians

    1. TRT Silver badge

      Re: State sponsored ?

      Ah. On Ilkley Moor bar black'tat?

      1. Dr Dan Holdsworth Silver badge
        Joke

        Re: State sponsored ?

        The line is actually "Baht aaht", and given the physiology of the average computer geek, this is actually more frightening still.

    2. Anonymous Coward
      Anonymous Coward

      Re: State sponsored ?

      An attempt at humour, I suppose?

    3. Korev Silver badge
      Coat

      Re: State sponsored ?

      They rose to the challenge...

    4. Andytug

      Re: State sponsored ?

      Revenge for losing the original war?

  6. 0laf Silver badge
    Facepalm

    Sophisticated and malicious

    They're always "sophisticated" aren't they?

    Except they never usually are. The press release always implies a nation state APT when reality is closer to a badly worded 419 scam or a USB stick in the car park.

    This will keep happening until we invest in training and basic measures. Which will probably never happen.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sophisticated and malicious

      This very point was raised and discussed on the previous article just yesterday.

      You might want to go there as most seemed to agree with you?

    2. Alan Brown Silver badge

      Re: Sophisticated and malicious

      "This will keep happening until we invest in training and basic measures. Which will probably never happen."

      Very sorry to disappoint you, but for the cases I mentioned the users in question DID get training and STILL went on to try and override the antivirus software - no responsibility and liability == don't care.

      These days that training would include mention of GDPR, swingeingly large fines and the probability that apart from being a dramatically career limiting move, the university's insurance underwriters may attempt to recover some of their costs from the people in question if there was any hint of actively overriding the security systems.

  7. Blockchain commentard Silver badge

    Probably could have gotten away with it if only he'd offered to set the students qualies as 1st with honours (without having to put in all those hours down the student bar!!)

    1. Anonymous Coward
      Anonymous Coward

      “set the students qualies as 1st with honours“

      As opposed to a 1st without honours? PMSL

  8. Nick Kew Silver badge
    Coat

    White Rose

    Shouldn't a Yorkshireman have historic licence to attack a Lancastrian institution? Give him a medal - or at least a rose.

    Mine's the one whose rose is a bramble ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019