The University of Greenwich has reported its second data breach of the year, stemming from an incident involving the unauthorized release of sensitive information by a disgruntled former student. This situation raises serious concerns about data security practices within academic institutions, particularly regarding how personal and confidential information is managed.
Recent reports indicate that the hacker successfully infiltrated the university’s website, capturing a trove of sensitive data before sharing it through publicly accessible links. According to an article in the Evening Standard, the leaked details included an array of student information such as names, contact numbers, grades, and feedback, as well as internal communications and staff vacation schedules. Alarmingly, even information related to students with disabilities was disclosed, a “sickness table” revealing private medical conditions.
The hacker’s motives appear to be rooted in revenge, as suggested by a post obtained by the news site HackRead, which included a message from the individual claiming to showcase their hacking prowess following expulsion from the institution. The posed statement indicated a desire for acknowledgment of their skills, framing the breach as a demonstration of capability in the face of perceived injustice.
Moreover, this incident follows a previous data breach earlier in the year, mentioned in a BBC News investigation, where it was revealed that personal student data, including full names and contact information, was readily available via search engines. In addition to basic identification, this earlier breach included sensitive medical details justifying academic performance issues, which were also made visible through informal channels.
The University of Greenwich has acted quickly to minimize the fallout from this latest breach, reportedly removing the exposed details after they garnered attention on social media. Meanwhile, the Independent has sought further comment from the university regarding the security measures being implemented in response to these serious vulnerabilities.
Both breaches highlight critical gaps in data protection and incident response protocols at the institution, which has stated a commitment to safeguarding confidential information. The Information Commissioner’s Office has acknowledged awareness of these incidents and is actively investigating, emphasizing the importance of compliance with data protection laws.
From a cybersecurity standpoint, the tactics utilized in this breach can be contextualized within the MITRE ATT&CK framework. Initial access likely occurred through exploiting flaws in web security or inadequate access controls. Retaining access might have involved persistent methods typical of revenge hacking, wherein the attacker remains undetected within the system. Privilege escalation techniques may have been employed to gain unauthorized access to more sensitive data.
The repeated breaches at the University of Greenwich serve as a critical reminder to educational institutions and business leaders alike about the necessity of robust data security frameworks. As cyber threats become increasingly sophisticated, implementing comprehensive security strategies to protect sensitive information should remain a top priority for organizations across all sectors.
