Forget Me Not

Written by:
Lucie Sadler
Date Posted:
24 May 2018
Category:
Security

Student microsite gets hacked over a decade later

Never forget
Back in 2004, a tech-savvy student at The University of Greenwich made a microsite for a conference. Pretty cool. But then they forgot it existed.

Cut to 2018, and the university are being fined £120,000 from the ICO. The data breach is thought to have happened in 2013, then again in 2016 thanks to a SQL flaw and some PHP exploits that opened up the databases. One of the hackers then posted the data to Pastebin.

Data hack
The site was hacked, which is bad enough. But when it’s linked to a database with personal data of around 19,500 uni students, staff, alumni and conference attendees, it’s really bad.

The microsite was used by conference attendees to upload documents anonymously via a URL. After the conference the site wasn’t removed, was forgotten about, and wasn’t updated with any security patches for over a decade.

The major flaw here is that the site hadn’t been built or monitored by someone who knew what they were doing. How many more sites like this exist? (I’d say a lot).

Security breach
The fact that the university only realised that there had been a breach in June 2016, shows how a microsite like this could exist completely unaccounted for. The ICO‘s report stated that the university had “failed to put technical and organisational measures in place” to ensure that a security breach wouldn’t occur. I’d imagine that security has been their top priority since this blunder.

And the moral of this tale? Shadow IT is your tech team’s biggest nightmare. This is why having systems and controls in place are so important. Record every server that you spin up, monitor them, patch regularly. Or just get a managed host to do that for you 😜

No votes yet.
Please wait...

 

Leave a Reply

avatar
  Subscribe  
Notify of

Hyve are 100% carbon neutral. We use carbon offsetting to balance out the release of carbon dioxide from our offices and infrastructure.