Staff at Newcastle University are warning the institution is “completely crippled” and said they have “no idea how we are going to welcome students in three weeks’ time” due to the double impact of the coronavirus pandemic and a cyber attack.
For new starters, term is due to begin on 28 September with continuing students returning a week later due to COVID-19, but staff have expressed concerns to Sky News this could be delayed due to the situation with the institution’s IT services and the university’s ability to handle coronavirus requirements.
A spokesperson for the university has told Sky News: “Our semester will commence as planned… and we have business continuity arrangements in place to register our students.
“Our teams are working extremely hard to ensure this group of young people – who have already been through so much this summer as a result of COVID – are able to start here at Newcastle in a few weeks’ time and this sort of misinformation designed to sow confusion and anxiety among our students is unhelpful.”
A staff member who spoke to Sky News on the condition of anonymity dismissed this allegation, and said there were “genuine and legitimate concerns which the university should be focusing on rather than managing its reputation”.
“The university is absolutely not being straight here,” they added, noting that as of Wednesday afternoon the university was unable to allocate accommodation for first year students due to the cyber attack taking down the system.
Hackers claim to be currently holding Newcastle University to ransom having broken into its computer network and stolen data before encrypting the machines using the DoppelPaymer malware on 30 August.
The university has manually registered “over 1,000 medicine and dentistry students who started with us this week” it told Sky News, with more manual registrations expected, meaning those students can access their student loans.
Several purportedly stolen documents have already been leaked to the criminals’ dark web site, and a message on Twitter apparently from the hackers has threatened to leak students’ personal data as part of their efforts to extort the university.
Students have complained to Sky News and on social media that the university hasn’t adequately informed them about the incident, and the university has not made any public statements about a ransom attempt.
A non-public email sent to staff and seen by Sky News also does not mention the cyber extortion, and suggests the university has still not been able to determine whether individuals’ data was stolen by the hackers.
In an FAQ titled “Is my personal information compromised?” sent to staff and seen by Sky News, the university appears to suggest it still hasn’t established what may have been stolen despite more than a week of incident response.
“The investigation into the incident is still at an early stage,” the answer to the FAQ says. “IT colleagues continue to work hard on the systems recovery plan, and to support the police and the National Crime Agency with their enquiries,” it adds.
“Please be assured we take the security of our systems extremely seriously and we were able to respond quickly to this incident,” the FAQ assures its audience – although not all have been convinced.
Referencing this statement, a member of staff who spoke to Sky News on the condition of anonymity, said: “I have lost all faith in my employers’ ability to keep my data safe given they aren’t even telling us what is going on.”
A university spokesperson said: “The university has a large and extensive IT estate with many systems. Each system must now be checked carefully and thoroughly to understand the extent of any damage and to preserve any evidence for the police.
“We have been as open as we can be during this phase with both our staff and students, without risking compromising or delaying this investigation. We are sorry for the disruption this is causing to our staff, students and partners.”
Sky News understands that the university is still on the first page of a six-page recovery plan, and attempting to establish which of its 1,500 servers have been infected by the malware. It is not clear how it will progress through this recovery plan by the beginning of the academic term.
Universities told not to send students home in the event of an outbreak
Sky News has learnt that the damage from the breach for university staff and students could also include the hackers having accessed plain text passwords – passwords stored as “PASSWORD” rather than in a protected format.
Correspondence between students and the IT service desk shared with Sky News confirms that their passwords are stored without being encrypted, with IT staff able to retrieve students’ passwords and email them to members if they are forgotten.
This is a significant information security shortcoming, with most authorities recommending that passwords are saved in a format so that even the system administrators are unable to retrieve them.
It is also directly contrary to advice from the UK’s National Cyber Security Centre (NCSC) which explicitly recommends that organisations “do not store passwords as plain text”.
Despite this the university told Sky News: “The university uses industry-standard tools and processes to record and protect account information and, in particular, passwords,” and claimed: “We follow NCSC guidance on password practices.”
The university’s password policy requires the passwords are eight characters long – no more and no less – and only contain numbers and letters which are insensitive to case, making it much easier for criminals to guess them.
If the university is assessed to have been careless in protecting personal information, it could face a significant fine under the General Data Protection Regulations.
However the UK’s Information Commissioner’s Office has historically been hesitant to hand out such fines for security breaches at higher education facilities.
In a publicly available FAQ, the university has warned: “It is possible we will need to reset all Newcastle University user accounts but we will let you know when this needs to happen.”