Data security at risk at Warwick, audit report reveals

The University of Warwick has data security issues, which have been hidden from students and staff, according to a report.

A data protection audit report by the Information Commissioner’s Office (ICO) has revealed that the University does not have adequate data protection in place to combat against data breaches.

The report has revealed that University IT systems could not prevent hackers or identify if a data breach occurred, putting the personal data of students and staff at risk.

The report stated: “There is a lack of oversight and control over data from certain core systems feeding into other information resources risking unanticipated data leakage.”

The University does not have a centralised system of processing information security, which poses a risk at the departmental level, the report added.

According to Sky News, an internal audit identified “a number of critical vulnerabilities [that] had been known to the University’s executive since at least last July”. Students and staff were not made aware of any data breaches.

The report undertaken by the ICO, also outlined that there was a lack of training and awareness among staff regarding data security and has issued over 70 security recommendations.

The internal audit stated: “Our findings suggest that there are insufficient cyber security measures in place to adequately protect IT systems and data.

“Existing IT security could not detect attempts to scan and hack systems. No solution was in place to detect if data was to be accessed, copied or changed,” they added.

A spokesperson for the ICO said: “We contacted the University of Warwick to assess their data protection practices as part of an audit.

Our findings suggest that there are insufficient cyber security measures in place to adequately protect IT systems and data

“This followed concerns we had about how the university was handling personal data. We made several recommendations to the university and will be following up to assess improvements made.”

In a separate security related incident in November 2019, some students were informed that they had to change their password as their “IT services account password was found in a list of leaked passwords”.

“This does not mean your account has been compromised, but you should take immediate action to protect it,” the message added.

A student, who had to change their password told The Boar: “Myself and a few of my friends got the same email back in November last year from the IT services team that we had to change our passwords because they were present on publicly available lists.

“I use a variation of the same few passwords for a lot of things so this was obviously really concerning but the university didn’t give us any more information about what had happened or what they’d done in light of this.”

It is unknown as to how many students had to change their password in November.

When contacted by The Boar, the University said: “Over the last two years, the University of Warwick has invested significant time, effort and resource, recruiting 19 new staff, to systematically tackle the increasingly complex and urgent challenges that Information Security and Data Protection pose for us.

“We welcome the report and its findings as it very much confirms and helps inform our own analysis of what still needs to be done.

“We believe that the audit and subsequent action plan is a very helpful and a complementary tool to assist us in completing a programme of work that will strengthen our own processes and policies,” they added.

In October 2019, GCHQ’s National Cyber Security Centre and the Centre for the Protection of National Infrastructure said UK universities were being targeted for “personal information, research data and intellectual property”.

(UPDATE: 08.04.2020 19:45): Universities Minister Michelle Donelan released a statement regarding data security at Warwick and at other institutions. She said: “It is imperative that student and staff data is secure. Every university must ensure their online security is as robust as possible to protect private data from cyber threats.

“I expect the University of Warwick to implement the recommendations made by the Information Commissioner’s Office regarding how it secures personal data.

“I would also urge any institution to follow the world-leading cyber security advice provided by the National Cyber Security Centre on their website.”