A web server set up by an enterprising student for a conference in 2004 and then forgotten about has left the University of Greenwich nursing a £120,000 ($160,000) fine from Britain’s Information Commissioner (ICO).
Forgetting about a web server isn’t generally a good idea, but this was a particularly dangerous oversight because it had been linked to a database containing the personal data of 19,500 University staff, students, alumni, and conference attendees.
The data also included more intimate personal data of 3,500 people covering learning difficulties, staff sickness, food allergies, and extenuating circumstances put forward by students during their studies.
You can probably guess where this is heading – eventually cybercriminals chanced upon the forgotten server and did their worst.
The initial breach is thought to have occurred in 2013, before it was broken into several times during 2016 with the help of an SQL flaw and some uploaded PHP exploits that opened the way to the databases holding the good stuff.
Eventually, one of the attackers posted the data to Pastebin in January 2016, at which point the breach became public knowledge.
What went wrong? That’s the unsettling bit because on one level – at least from the perspective of 2004 – not much.
The University’s Computing and Maths School (CMS) had held a training conference and one of the academics involved asked a student to build a web microsite. The site included a facility for conference academics to upload documents anonymously via URL, something that attackers would eventually use to their advantage.
Nobody remembered (or had the job of) shutting this down once the conference had finished and so it sat there for years as new vulnerabilities were discovered, patches were applied, skills were improved on all sides and attacks on web servers became everyday occurrences.
How it was forgotten about is not clear, but anyone working in IT will be familiar with the cold-sweat-inducing spectre of shadow IT. A lack of processes for managing servers not within the IT department and the fact that the University later reorganised itself into new faculties were probably contributing factors.
Concluded the ICO:
Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution.
Of course, something as risky as a server connected to a database should never be left in the hands of a single person whose job doesn’t also include securing it.
Perhaps the biggest error wasn’t that the server was forgotten about but that this simple error went unnoticed for an extraordinary 12 years.
That implies that nobody was proactively assessing security – because if the criminals were able to find the microsite, surely the University could have too.
In the light of the fine, the University said that it had completely overhauled its security since 2016 into a form that sounds more like a more modern security operation.
Here’s hoping that there aren’t more servers that time forgot out there that universities have simply forgotten to shut down.