Experts analyse University of Nottingham cyber-attack

Last week hackers from a well-known criminal group launched a major cyber-attack on the University of Nottingham.

On 10 June, the university confirmed hackers had accessed "a significant amount of data" belonging to current and ex-students - including financial information - from its record system.

Two cyber security experts - Troy Hunt, founder of Have I Been Pwned and Jonathan Lee, from cyber security firm Trend AI - look at how the data breach took place and its implications.

The experts point to two methods that could have been used to carry out the cyber-attack.

Hunt said the hackers could have called the university on the phone and gained access to the data through voice phishing.

Voice phishing is where fraudulent phone calls are used to trick people into giving away money or sharing personal information.

However, Lee believes this was likely to be a supply chain attack.

He said this was a common method of attack for cyber criminals, where a third-party supplier to an organisation is breached and this leads to a cyber attack.

Lee said hackers could access networks from university campuses through "vulnerabilities" or "holes" in systems.

"So it's quite possible that this vulnerability in a third-party system that managed all the student data was the way that the threat actor was able to get into the environment and then move around," he said.

According to the Have I Been Pwned website, a hacking group called ShinyHunters has claimed responsibility for the cyber attack.

Hunt said the hackers were "usually teenagers or early 20s, very often still legally children".

Lee said this group's "normal way of operating" was "voice phishing" but still believes this case was a supply chain attack.

According to Hunt, 455,000 unique email addresses were part of the breach.

However, he said the number of people affected "will be a subset of that... for example, there are many instances where there is both a university email address and a personal email address".

Lee said he learned from a trusted source that about 40 gigabytes of data had "gone missing".

"It's going to be a large number of people because it's both current students and alumni as well," he said.

Jason Carter, the university's chief governance and risk officer said in an email to students, seen by the BBC, they were operating on the precautionary assumption that four categories of information had been accessed.

These were:

• Contact information including names, email and postal addresses
• University-related details including course information, student/staff ID
• Financial information
• Personal information including NI numbers and protected characteristics

Hunt said the information that was now publicly available included academic records, citizenship statuses, dates of birth, disabilities, email addresses, ethnicities, genders, IP addresses, names, passport numbers, phone numbers, physical addresses, purchases, and usernames.

Hunt said the reason for carrying out an attack of this nature was "definitely for financial gain".

Data such as names, addresses, national insurance numbers and email addresses were valuable for hackers to either sell on or use for "nefarious means", Lee added.

"All of that information is like gold dust to cyber criminals who might try and then impersonate others to take over their identity or misuse that information some way in future," he said.

Hunt said one of the data classes in the breach was passport numbers, which there were "tens of thousands of".

"So if you're in there and you have a passport number exposed next to your other PII (Personally Identifiable Information), I'd be quite worried about that because passport numbers are a form of identity verification.

"That does elevate your risk of having things like identity theft."

Lee said it was now important for students to take "appropriate action" to keep themselves secure from follow-up attacks in which cyber criminals might attempt to impersonate them in order to get more information or misuse the information.

He said it was important for people to practice good "cyber hygiene", which included having strong passwords with multifactor authentication for websites and apps but added people should not panic.

"Also, be vigilant of things like phone calls from people you aren't expecting, asking you to do things at speed," Lee said.

The East Midlands Special Operations Unit (EMSOU) has confirmed it is investigating.

EMSOU has a dedicated Regional Cyber Crime Unit.

A spokesperson said: "We are currently investigating a cyber incident at the University of Nottingham. The investigation is in its early stages and we are unable to comment further."

A University of Nottingham spokesperson said: "The University of Nottingham has been the victim of a cyber incident and a significant amount of data in our student record system has been accessed by a well-known cybercriminal group.

"This is now the subject of a criminal investigation. We are working with the third party that maintains the platform to investigate and we will continue to support the police with their enquiries.

"While the investigation continues, we are unable to provide further information on the nature and extent of the cyber attack.

"We understand that those affected will have concerns about what this means for their personal data and we are contacting them directly to offer advice and support as we learn more about the incident.

"We have set up a telephone helpline to provide practical support and advice for anyone that has concerns over how this incident may have affected the security of their personal data.

"We take the privacy and security of data that we hold seriously.

"We have notified the Information Commissioners' Office in accordance with our legal obligations.

"The National Cyber Security Centre, the Office for Students and Action Fraud have also been notified."

The university said it would not be offering any further information due to an ongoing criminal investigation into the attack.

Listen to BBC Radio Nottingham on Sounds and follow BBC Nottingham on Facebook, on X, or on Instagram. Send your story ideas to eastmidsnews@bbc.co.uk or via WhatsApp on 0808 100 2210.