UK universities now being aggressively targeted for data theft and phishing
Israeli researchers have discovered the contact details for everyone working and teaching at the University of Liverpool circulating on a dark web forum where it is being promoted to launch targeted phishing attacks.
According to security firm Cyberint the data - name, address and work email addresses - was posted on the criminal forum by a Portuguese-speaking hacker or group known as '@ECHOison' in early February 2016, where it remains publicly available.
The university was told of the posting some weeks ago by Cyberint, after which Computerworld UK understands the university contacted Merseyside Police.
The university released a statement to Computerworld UK making clear that although the contact details were taken from a database, the fact they are considered public domain meant that this was not equivalent to a data breach.
"We detected an automated cyber-attack on one of our departmental online booking systems, which resulted in publicly available data - surname, email, and business telephone numbers - being released on the internet," the university said.
"We take the security of all university-related data very seriously and routinely test our systems to ensure that all data is protected effectively. We supported the Regional Organised Crime Unit (TITAN) in their investigations into this issue and reported the case to the Information Commissioner's Office."
The university has a point when it says the data is publically available - such contact databases will exist for every university in the UK in a form accessible to students and the public in general. However, being able to grab that in a single database remotely is a helpful way of fuelling industrial phishing and malware attacks without the inconvenience of having to manually cull the same contact data from lots of smaller repositories.
Contact databases are no longer the innocent data sources they would have been in the recent past. Protecting or securing them would be prudent.
The fact hackers see value in an entire contact database is also an important reminder of the extent to which UK universities are now being targeted by people with destructive motives.
In March, a survey of senior IT staff representing a third of the UK's university sector uncovered widespread concernat their ability to defend themselves from attacks designed to steal research and IP data, and to target students and staff with phishing.
The total volume of research and other data now held by UK institutions has almost certainly reached 1 exabyte, with 20 or more institutions now storing petabytes, according to a detailed 2015 study by UK cloud archiving company Arkivum.
The group or person responsible for this posting appears to specialise in attacking academic websites, having previously targeted institutions including the University of Ottawa as well as releasing contact information for 150 United Nations staff.
Sign up for CIO Asia eNewsletters.