The education sector is prone to cyber-attacks but is it prepared?

On 16 September 2019, Swindon College announced that it had been the target of a cyber-attack that had resulted in the unauthorised access of personal data of both present and former staff and students. This is just the latest in a growing number of cyber-attacks on the education sector. As with other parts of the economy, cyber-attacks are on the increase, as are claims by individuals for compensation for data breaches. As we approach the start of a new decade, have schools and universities properly prepared for the risk of cyber-attack?

Increase in incidents

Other recent widely reported cyber incidents in the education sector include:

  1. The unauthorised accessing of the administrative records of 88 students of the University of York in July 2019
  2. The use of a fake website to impersonate the University of Newcastle in July 2017, with international applicants asked to provide bank account details and passport numbers
  3. A ransomware attack suffered by University College London in June 2017, whereby a denial of service malware froze networks and which appeared to be timed for when students were finalising dissertations to exert maximum pressure.

In April 2019, the BBC reported on a study by Hiscox which found that the proportion of UK firms reporting cyber-attacks had increased from 40% to 55% in one year. That is consistent with the findings of the JISC (a government funded agency, formerly known as the Joint Information Systems Committee,), which has reported that the number of attacks against universities and colleges increased from 600 in the 2016/2017 academic year to 850 in 2017/2018.

JISC also reported in April 2019 that in a cyber-security systems test of 50 universities, the testers were 100% successful in gaining access to personal data, finance systems and research networks.

Why target the education sector?

Schools and universities hold substantial amounts of personal data, often on aging IT systems. There is a real risk of personal data being retained for too long and without proper security mechanisms in place. Such systems are prone to attack and to human error.

In these situations simple errors can have disastrous consequences. For example, in one recent case in which we acted, a spreadsheet containing the personal data of several thousand people was accidentally sent to several hundred people as an email attachment. The document was not password protected. The ICO had to be notified and the affected individuals are entitled to bring claims for damages for injury to feelings. If only 10% of the affected individuals each bring a claim for compensation of £5,000, the overall exposure could be over £5 million.

Universities and other research organisations also hold sensitive intellectual property. It is widely believed that state sponsored hacking for the fruits of university research are common. Furthermore, schools and universities host very large numbers of people with access to their systems, with the JISC reporting that there is an increase in cyber-attacks during term times. This may lead to claims by research partners, sponsors and funders, upon the cyber theft of IP.

Comment

Insurance POST reported in May 2019 that the education sector was in the top five most vulnerable to cyber-attack, but it was not in the top five for greatest take up of cyber insurance. Outside of the US, there has been a slow take up of cyber cover across all sectors, with many businesses believing that their existing range of insurances provide sufficient cover and that the risks were not great enough to justify the additional premium. That seems to be changing in the wider economy but the education sector risks lagging behind. There is however a widespread move towards both more standalone and bolt-on covers being available, which may assist take-up by the education sector.

There can be no doubt that both cyber-crime and inadvertent data breaches are increasing and these pose substantial commercial and reputational risks for schools, colleges and universities. Might we see claims by students against a university or school for damages to compensate them for the adverse effects of a cyber-extortion attack on their academic record, as we are increasingly seeing in relation to the quality of tuition and supervision? Even if these claims do not materialise in the immediate future, the need for the education sector to react to all forms of cyber risk is clear. 

Related items: