Back in 2004, a tech-savvy student at The University of Greenwich made a microsite for a conference. Pretty cool. But then they forgot it existed.
Cut to 2018, and the university are being fined £120,000 from the ICO. The data breach is thought to have happened in 2013, then again in 2016 thanks to a SQL flaw and some PHP exploits that opened up the databases. One of the hackers then posted the data to Pastebin.
The site was hacked, which is bad enough. But when it’s linked to a database with personal data of around 19,500 uni students, staff, alumni and conference attendees, it’s really bad.
The microsite was used by conference attendees to upload documents anonymously via a URL. After the conference the site wasn’t removed, was forgotten about, and wasn’t updated with any security patches for over a decade.
The major flaw here is that the site hadn’t been built or monitored by someone who knew what they were doing. How many more sites like this exist? (I’d say a lot).
The fact that the university only realised that there had been a breach in June 2016 shows how a microsite like this could exist completely unaccounted for. The ICO‘s report stated that the university had “failed to put technical and organisational measures in place” to ensure that a security breach wouldn’t occur. I’d imagine that security has been their top priority since this blunder.
And the moral of this tale? Shadow IT is your tech team’s biggest nightmare. This is why having systems and controls in place are so important. Record every server that you spin up, monitor them, patch regularly. Or just get a managed host to do that for you 😜