This paper was converted on www.awesomepapers.org from LaTeX by an anonymous user.
Want to know more? Visit the Converter page.

Understanding Cyber Threats Against the Universities, Colleges, and Schools

Harjinder Singh Lallie Andrew Thompson Elzbieta Titis elizabeth.titis@warwick.ac.uk Paul Stephens *Cyber Security Centre, WMG, University of Warwick, Coventry, CV4 7AL, ‡Kagool, 5th Floor, One Friargate, Station Square, Coventry, CV1 2GN, †Canterbury Christ Church University, North Holmes Road, Canterbury, Kent, CT1 1QU
Abstract

Universities hold and process a vast amount of valuable user and research data. This makes them a prime target for cyber criminals. Additionally, universities and other educational settings, such as schools and college IT systems, have become a prime target for some of their own students – often motivated by an opportunity to cause damage to networks and websites, and/or improve their grades.

This paper provides a focused assessment of the current cyber security threat to universities, colleges, and schools (‘the education sector’) worldwide, providing chronological sequencing of attacks and highlighting the insider threat posed by students. Fifty-eight attacks were identified, with ransomware being the most common type of external attack, and hacking motivated by personal gain showing as the most common form of internal attack. Students, who have become a significant internal threat by either aiding or carrying out attacks are not a homogeneous group, as students may be motivated by different factors, therefore calling for targeted responses. Furthermore, the education sector is increasingly reliant on third party IT service providers meaning attacks on third parties can impact the university and its users. There is very little research analysing this problem, even less research analysing the problem in the context of schools. Hence this paper provides one of the first known assessment of the cyber attacks against the education sector, focusing on insider threat posed by students and offering recommendations for mitigating wider cyber threats.

keywords:
cybercrime , UK universities , cyber attack timeline , insider threat , human factors , cyber security awareness

1 Introduction

Universities hold critical research data as well as information on more than 3 million staff and students and millions of alumni [1, 2]. University networks are extraordinarily complex with tens-of-thousands of users logging on daily using a variety of personal devices, hosting a range of cyber security protection. In addition, users log on from a wide range of locations, and have a wide range of motivations for accessing the data that they do. University websites are designed with an inherent level of openness revealing, amongst other data, course tutor, support staff, and research staff details. This is a large and diverse surface area potentially encompassing a huge range of vulnerabilities.

This technical landscape creates easier opportunities for perpetrators to launch cyber attacks, particularly targetting people in jobs that have access to strategic or confidential data [3]. Universities have become popular cyber crime targets for various adversaries such as state-sponsored actors, criminals, and insiders [4, 5]. At the time of writing, spear-phishing and social engineering remain the main external attack vectors against universities, with ransomware increasingly becoming the greatest single cause of disruption [6]. The types of data targeted include emails, bulk personal information on staff and students, technical resources, and sensitive research and intellectual property [6]. While the effects of cyber crime are perhaps most disruptive for universities, state-sponsored espionage is likely the cause of greater long-term damage, including damage to the value of research and the UK’s knowledge advantage [6].

Other than a report by JISC [7], there is a lacuna of research surrounding cyber attacks on, and the cyber security posture of, educational establishments such as universities, colleges, and schools. The present study draws on publicly available data to outline the range of prevalent attacks against the education sector.

In the UK, ‘college’ usually refers to further education (FE) attended by students at the age of 16, after school, and before university. Students from the age of 16 can either choose a state sixth form college or a college of further education as an alternative to private education, both types preparing them for entry to an university. This is in contrast to the US terminology in which ‘college’ is often used generally to refer to university, or specifically undergraduate institutions in universities, such as Yale College or Harvard College. We define ‘school’ according to the Education Act 1997 as an educational institution which is outside the FE sector and the HE sector, and is an institution for providing (a) primary education, (b) secondary education, or (c) both primary and secondary education. In this paper, we refer jointly to schools and colleges as ‘schools’ to distinguish them from universities.

Our key contribution includes a novel timeline of key cyber attacks, providing chronological sequencing of attacks to serve as a platform to align with current literature, as well as offering the foundation for others to build on. We also compile a list of attacks carried by students against their home schools and universities to help frame the discussion of insider threat.

The paper is organised as follows: relevant cyber attack and cyber crime literature is reviewed in Section 2 (including discussion of human factors in academic settings, most common threats faced by universities worldwide, and university cyber defence weaknesses), followed by a discussion of our methodology for creating a cyber attack timeline in Section 3. We then discuss results in Section 4 followed by presenting a broader reflection on the attacks in Section 5, the latter including discussion of insider threat and human factors moderators, impact and mitigation, and the potential limitations of the work before concluding and proposing future work in Section 6.

2 Background

This section analyses published research into cyber-attacks on universities. We were not able to identify any meaningful research into cyber security, and specifically cyber attacks, against schools and/or colleges. This outlines a clear research gap which the present contribution aims to address.

Cyber attacks against universities have been increasing in recent years [8, 9, 10], with the average cost of addressing a cyber attack amounting to £620,000 in 2021 [11]. The most significant rise in cyber attacks has come in the form of ransomware attacks [12]. JISC provide example costs associated with recovery from cyber attacks. A 2019 university phishing attack resulted in a cost of £65,000 related to staff response time and “significant legal costs”; a 2020 phishing campaign against a UK college led to recovery costs of c£30,000; a 2020 password compromise led to a response cost of £40,000; another 2020 password compromise led to a compromise of users in other universities leaving around 1,000 accounts compromised and around 80 days of response effort. These figures do not include the opportunity cost created by the redeployment of staff and resources which might not otherwise have expected to have been applied, nor the time lost for end users [13].

University infrastructures are growing, student numbers are increasing, and investment in buildings and resources is rising across the world [14]. Recently, as COVID-19 brought greater reliance on digital systems and networks [15], the pandemic also expanded the attack surface with most businesses and institutions moving services online [16].

The impact of a cyber attack extends across multiple dimensions and beyond the confines of the university [17]. For example, were attackers to steal critical research through a cyber attack, the researchers would lose the opportunity to publish the research, the university could become less valuable to investors, and funding may be impacted [17]. Such an attack could impact other sectors too. So if the research was of a particularly sensitive nature to bodies such as the military or national defence, this could pose a grave threat to the whole country [17]. The extended impact is exemplified by a May 2020 cyber attack where a third-party service experienced a ransomware attack, which impacted several universities both in terms of data availability and confidentiality (exfiltration) [13]. Awareness, training, and certification are three of five solutions posited in the first version of the JISC report as mechanisms to reduce the likelihood of a cyber attack against a university, the other two being strong leadership and adherence to technical basics [13]. Version 2 of the JISC report reflects more recent incidents and associated guidance, and stresses the importance of cyber insurance [7].

Although certification schemes such as Cyber Essentials exist to enable organisations to improve their cyber security posture, many UK businesses and charities are unaware of these schemes [8], resulting in poor cyber security practices. In 2017, the average self-rating of a university’s cyber security posture was 5.8 out of 10, rising to 6.5 for those that had obtained the Cyber Essentials certification [18]. More recently, the JISC Posture Survey [13] revealed a perception of low cyber security posture amongst HEI and UK college stakeholders with a mean score of 6.4/10 and 7/10 respectively and just 10% and 36% scoring their institution more than 8. In the following sections we discuss the value of training and reporting to ongoing efforts in the fight against cyber crime, we also present common attacks faced by universities globally, with special considerations for internal threats posed by students.

2.1 Training and reporting

Communication is important in achieving an acceptable cyber security culture, which could prepare universities to battle ongoing attacks better than big funding or sophisticated technical systems [19]. However, a survey of UK universities revealed that: a) only 54% of UK university staff had received cyber security training, universities were only spending an average of £7,529 on cyber security training for staff in 2019; b) 51% of universities proactively issued cyber security training and information to students; and c) 37% only offered support to students that requested it whereas 12% did not offer any kind of cyber security guidance or training to their students [20]. Table 1 shows a sample of studies that have examined cyber security awareness and its relationship with various human factors involving students.

Overall, students had a good cyber security intuitive judgment, but their overall competence differed in regards to various aspects of cyber security [21], especially in relation to distinguishing between genuine and spear-phishing emails [22]. There is indeed a need and a space for improvements regarding cyber awareness [23], but student engagement with such initiatives is limited [24]. [23] developed a practical cyber awareness education framework (CAEF) to assist in building the tailored syllabus, showing a positive association between cyber security awareness and cyber security behaviour [25]. The large number and wide variety of users at universities may pose challenges in terms of tracking who has completed training and developing a training regime that adequately covers appropriate assets for individuals [26]; moreover, these challenges may be further exacerbated by high staff turnover [4].

Ref Study Population Sample* Human Factor Moderators Results
[22] Unnamed large South Australian university 121 Cyber security behaviour, knowledge of cyber security, social engineering strategy, decision making style Users struggled to distinguish between genuine and spear-phishing emails. When detecting phishing and spear-phishing emails, users performed the worst when the emails used the authority principle and performed best when social proof was present. Users who were less impulsive in making decisions generally were less likely to judge a link as safe in the fraudulent emails.
[21] Unnamed northeastern United States of America public university 462 Cyber security behaviour, knowledge of cyber security, intuitive or rational judgement The average percentage correct of cyber security judgment was about 65%. Three groups of ordinary users are low cyber security judgement, moderate cyber security judgement, and high cyber security judgement. Students also differed in their judgment competence on different aspects of cyber security and their rational judgment underperformed their intuitive judgment.
[27] Australian National University, Australia 138 Cyber security behaviour, knowledge of cyber security, social engineering strategy, gender, international or domestic, primed to cyber attacks Although tailored and individually crafted email scams were more likely to induce engagement than generic scams, differences were not significant. International students and first year students were deceived by significantly more scams than domestic students and later year students.
[24] Central University Technology, South Africa 43 Level of social media use, cyber security training history There apears to be a reluctance amongst students to engage with cyber security awareness (CSA) initiatives that are available. Students engaged with social media platforms at least once a week with Facebook and YouTube the most popular. They also used communication media like websites to pursue material about CSA.
[23] International School for Business and Social Studies, Slovenia 35 Cyber security behaviour, knowledge of cyber security, computer skill, willingness to attend training There is a need and a space for improvements regarding cyber awareness. Detailed recommendations and cyber awareness education framework (CAEF) proposed for curricula changes at each level of the evaluated education systems and practice.
[28] Fahad Bin Sultan University, Saudi Arabia 189 Cyber security behaviour, knowledge of cyber security Students’ awareness was average with no difference in awareness levels between male and female students.
[29] University of New South Wales, Australia 158 Cyber security behaviour, knowledge of cyber security, training style preference Students struggled to remain engaged and found the labs were pitched at a high-level. Applying proven teaching methods, following internationally recognised frameworks and recommendations, improved the level of engagement.
[25] Ariel University, Israel; Lublin University, Poland; International School for Business and Social Studies, Slovenia; unnamed Turkish universities 459** Cyber security behaviour, knowledge of cyber security, computer skill, willingness to attend training, cyber security training history, county of education, gender Users possess adequate cyber threat awareness but apply only minimal protective measures usually relatively common and simple ones. Higher cyber knowledge is connected to the level of cyber awareness, beyond the differences in respondent country or gender. Awareness is also connected to protection tools, but not to information users were willing to disclose. There are also differences between the countries that affect the interaction between awareness, knowledge, and behaviors.
* All the studies used convenience sampling except [28] who used random sampling.
**89 Israeli students; 182 Polish students; 35 Slovenian students; 153 Turkish students.
Table 1: Summary of previous studies that looked at cyber security awareness at universities, including results and significant predictors examined.

In addition to training, reporting may be of particular value to ongoing efforts in the fight against cyber crime. However, public disclosure of sustained attacks does not appear common and there may be significant levels of under-reporting, with only three in ten incidents being reported in 2020 [30]. Full disclosures, such as that by the University of Sunderland, which sustained a cyber attack in 2021 and chose to share this information publicly soon after, are quite rare [14].

A wide range of reasons may explain low reporting by victims, such as not knowing of being defrauded, feeling partly responsible, or embarrassed, the attitude of statutory bodies, and overall confusion. Since enhanced cyber security leads to higher identification of attacks, less cyber mature organisations may be more likely to under report [8]. Moreover, because data breaches dent university finances and reputations, it is also possible that universities choose not to report due to balancing the perceived costs of reporting against the expected benefits. Indeed, financial and reputational concerns often prevent financial businesses to report cyber crime from the fear of losing trust in the company and its products [31]. The type of cyber crime and its impact may be relevant to the reporting decision for businesses, whereas having cyber security insurance may not [32]; the relative importance of these factors to reporting cyber crime for HEIs is currently unknown.

2.2 Common attacks faced by universities

A variety of threats targeting both students and staff have been recognised in the literature, including phishing, DDoS attacks, ransomware, and terrorist and internal threats.

Phishing

Phishing remains one of the most popular attack techniques, with some universities receiving millions of phishing emails each year [33]. Spear-phishing may lead to a speedy compromise of university networks, providing access to valuable data including personal data, finance systems, and research networks [34, 35].

Cyber threat actors often leverage societal events to take advantage of human factors. A good example of this was the plethora of cyber crime related reports which were linked to the COVID-19 pandemic [15]. Similarly, the start of an academic year increases the prevalence of phishing emails that offer free grants or requests for bank details to be updated so that loans can be paid [34]. One example includes the phishing attack carried against the University of New South Wales, in which the perpetrator compromised the Facebook account of the university, encouraging followers to consider alternative top universities around the time of an open day [36].

Sophisticated campaigns, such as Silent Librarian, have also compromised the credentials of academic staff and students through highly-targeted socially engineered spear-phishing emails [34, 37]. These credentials have been used to access important research or proprietary academic information [38, 39]. Other campaigns, such as Stolen Pencil involved spear-phishing attacks distributing malicious Trojans [40, 41], aimed specifically at academics in certain disciplines such as biomedical engineering [42].

DDoS attacks

In 2016, 63 UK universities had suffered from DDoS attacks [18], whilst in 2019 DDoS attacks continued to be on the rise, with a successful attack on the University of Edinburgh making headline news [34]. In 2021, there was a 102% increase in such attacks targeting universities, colleges, and schools with a DDoS attack occurring every three seconds [43].

Ransomware

Ransomware attacks against schools, colleges and universities in the UK have been on the rise since August/September 2020, with significant spikes in February 2021 and again in May/June 2021 [44]. Prior to that it was estimated that a third of UK universities were subjected to ransomware attacks between 2010 and 2020 [45]. As of 2021, ransomware has become the most significant cyber threat for businesses and small and medium enterprises (SMEs) in the UK [16], having an impact comparable to state-sponsored espionage [46]. Globally, it has been estimated that in 2022, 5% of all ransomware attacks were directed at education sectors, with the average data breach cost in education at 3.86 million dollars [47].

Although law enforcement do not encourage, endorse, nor condone the payment of ransom demands, several universities have reported paying cyber criminals to unlock their systems, such as Maastricht University that paid nearly €200,000 of bitcoin to regain access to research and recover its commercial operations [48], and the University of California, San Francisco that paid attackers $1.14 million to recover hacked data from its School of Medicine [49].

However, payment of the ransom does not guarantee a return to full system restoration, as in the case of Regis University, which had day-to-day operational disruption for months after paying a ransom [50]. Ransomware may also present an existential threat to colleges and smaller universities that may not be able to withstand the financial impact of paying a high ransom. It is therefore essential for universities to enact a range of measures to help recover from ransomware attacks such as keeping offline backups of their most important files and data, in addition to utilising a defence-in-depth strategy for mitigating malware and ransomware attacks [51].

Universities are prone to cyber attacks from a wide variety of actors which include state, terrorist, hacktivist, and even their own students.

State, terrorist, and hacktivist actors

Terrorist organisations can also compromise universities’ websites to display messages promoting their causes, as in the case of Tsinghua University in China having its website compromised by putting a photograph and audio in support of holy war [52], and University of Botswana having its logo replaced by an image of the hacktivist group Anonymous [53]. Cyber criminals have also targeted Australian and American university websites, in some cases inserting hyperlinks and malicious code directing students to “essay mill” sites to seemingly legitimise professional contract cheating services [54], or to fake essay contests that harvest the work of students for resale [55].

State-sponsored cyber warfare instances include the Australia National University allegedly attacked by the Chinese state [56], Korea University allegedly attacked by the North Korean state [57], and Bar Ilan University allegedly attacked by Iran using a wiper attack [58, 59]. In 2022, the education sector were the target of nation-state actors 14% of the time [60], with North Korea being allegedly responsible for 23% of all the attacks [60].

Other malware attacks have led to disruption to universities, and institutions having to implement measures to protect their students and staff. For example, the University of Giessen had to resort to physically handing out new email passwords to its 38,000 students and staff after their network was inaccessible for several weeks, a process that took a week [61]. Similarly, after a malware attack on a software application used for financial management at the University of California, Berkeley, the university provided its impacted students and staff with a year of free credit monitoring and identity theft insurance, along with resources to assist them in monitoring their accounts for any suspicious activity [62].

Internal threat

Having a unique level of institutional access, students may present a particular type of threat either as targets of phishing attacks, or for deliberate malicious reasons such as viewing and altering grades, playing pranks, testing their own hacking abilities, or carrying revenge. The literature highlights cases of student grade manipulation, including attacks at Austin’s Business School [5] and instances within Kenyan universities where the outstanding fee balances for some students had been altered [63]. Moreover, at the University of Alberta, a student compromised over 3,300 accounts [64], whereas an insider at Rutgers University took down the institution’s central authentication server that maintained the gateway portal to deliver assignments and assessments [65].

In this paper we examine cyber crime that has taken place within the education sector. We investigate external and also internal student generated cyber attacks. There is a distinct lack of academic literature in this domain, as many studies that have researched cyber crime at universities are from an international context, usually from a specific country without international comparisons. For this reason, our research required greater reliance on data and information provided by cyber security companies, news sources, and government organisations than traditional academic outlets. In the follow up section, we describe our data and methodology in more detail.

3 Timeline creation methodology

There is very little academic data available on the problem of internal and external cyber threats against the university, college, and schools sector, therefore our literature search relied largely on new sources. Our data gathering method was similar to that used in [15]. For each cyber threat, we identified multiple sources. A mixture of traditional repositories (e.g., Web of Science, Scorpus) and other reputable sources were considered, the latter including news outlets (Reuters, BBC), blog articles, security company reports, social media posts, and search engines (Google, Bing). Occasionally, some elements of the intelligence contradicted each other. We had to reason with this and only use reliable data following a typical cyber-intelligence operation. Only articles in English were included in the analysis; we ignored cases where we were not able to attribute the attack.

Cyber security news sites are a useful source of information on cyber attacks. In our opinion, some of the reputable sources of information on cyber attacks include: computerweekly.com, cybersecurity-insiders.com, cyware.com, infosecurity-magazine.com itgovernance.co.uk, itpro.co.uk, recordedfuture.com, securityweek.com, thehackernews.com, theregister.com, threatpost.com, and zdnet.com. The Google “site:” function was used to search these websites. As these sites focus on cyber security, the search terms “university”, “universities”, and “Higher Education” could be used to find any news items that may mention a cyber attack on a university.

A variety of keywords were used when collating reports of cyber attacks, including combination of keywords, e.g., “university” and “cyber attack”. One of the challenges has been that of the use of inconsistent terminology to refer to important concepts within the domain (e.g., perpetrator, hacker, attacker to mean the same thing), as previously highlighted in [15]. The same problem exists in terms of categorising motivation of perpetrators, as many different categories have been proposed [66, 67]. The review of reports was performed up to 2022, providing a basis to be built upon in future studies, both for future attacks and study gaps.

Twitter was used to locate any news on university cyber attacks that had received less publicity. This was done using the advanced search term “university cyber attack until:2022-12-31 since:2015-01-01 -filter:replies”.

Despite our best efforts to discover what we could about each cyber-attack, some attacks remained shrouded in silence. E.g. the cyber attack on University of Hertfordshire (number 51 in Table LABEL:Table-CombinedCyberAttacks) was believed to be ransomware, but no information was released to confirm this [45, 68, 69]. Similarly the attacks on Glasgow Caledonian University (row 52) and University of Sunderland (row 55) did not reveal full details.

Although the names of perpetrators in the case studies we refer are in the public domain, other than in a few famous cases, we have anonymised names within this report.

4 Results and analysis of cyber-attacks and associated risks

In this section, we examine the cyber attacks on universities, colleges, and schools in further detail. The data provided herein outlines the attack date, type (e.g., physical attack or DDoS), victim, description and impact. The discussion is based on a chronological timeline provided in Table LABEL:Table-CombinedCyberAttacks and supported by Figure LABEL:Figure-UK-Atttack-Timeline.

Figure LABEL:Figure-UK-Atttack-Timeline provides a detailed temporal representation of the chain of key cyber attacks, aiding an understanding of how universities were exploited and impacted by cyber crime. The timeline is presented chronologically. Each cyber attack is coupled with four icons which represent, from top to bottom, the type of perpetrator, the type of attack, the impact of the attack, and the motive. Each of these is then further subdivided as follows:

  • Perpetrator entity: hacker, other, high school student, unknown

  • Attack type: denial of service, extortion, hacking, SQL injection, keylogger, malware, phishing, ransomware, unknown

  • Impact: confidentiality, integrity, availability

  • Motive: financial, other prank, personal gain, unknown

These are not conclusive sub-categories. For example, there are many other attack types, however, we have only included categories revealed in the research.

A key at the bottom right of Figure LABEL:Figure-UK-Atttack-Timeline explains the colour coding and the categories.

The data presented in Figure LABEL:Figure-UK-Atttack-Timeline is derived from Table LABEL:Table-CombinedCyberAttacks which summarises cyber attacks against education institutions. The data presented includes attack type, date, and additional description of attack, attribution (name of offender), and impact (e.g., altered grades or prank).

Fifty-eight cyber attacks were identified, with the oldest and the most recent ones taking place in February 1988 and September 2022, respectively. Universities from different groups have been compromised, with highest numbers of reported attacks showing in 2019 (thirteen attacks), 2020 (nine attacks), and 2021 (ten attacks).

Each cyber attack was categorised and the impact was also outlined. So, ‘D.A’ means a denial of service attack which resulted in loss of availability. Where there is data missing in the attack type/impact column, this is because the data was not available to the authors. A key at the bottom of the table explains this categorisation system. We can presume that all publicly known attacks resulted in a loss of reputation and financial loss. Although we have categorised the cyber attacks into a single overarching category, in reality, the cyber attacks may have involved multiple attack elements. So, a ransomware attack may have involved phishing and a DoS attack before the ransomware was activated. Our data does not gather this level of granular detail. Although in some cases the impact of an attack may have both exfiltration and loss of availability, this was not specified in any of the attacks that we analysed.

The data in Table LABEL:Table-CombinedCyberAttacks reveals 2 injection attacks, 4 denial of service attacks, 6 phishing attacks and 7 ransomware attacks. Aside from reputational and financial impact, loss of availability was the more dominant impact with 21 of the cases experiencing this, and 12 institutions admitting to the exfiltration of data.

Prior to 2015, we found only single instances of reported attacks each year, however, good quality reporting on cyber attacks before 2012 was hard to uncover due to poorer legislation. As legislation has tightened, and organisations are under more stringent pressure to report cyber security breaches, the quality of data became better.

4.1 Analysing the Insider Threat

Our analysis depicted 28 cases of insider attacks by both university (50%, n=14) and school students (50%, n=14), majority of which resulted from hacking (61%, n=17) and where the intention was to alter marks (28%, n=8) or playing pranks (21%, n=6). We also noted some differences between the two groups of students in terms of motivation and types of attack carried; for example, school students carried more DDoS attacks and were more likely to play pranks, whereas university students were more financially motivated.

Table LABEL:Table-CombinedCyberAttacks shows that the majority of attacks by university students was for the purpose of altering grades (35%, n=5), followed by financial gain (21%, n=3) and playing prank (14%, n=2), however, students were motivated by various illegal gains, including hacking, legitimate challenges set by tutors, copyright theft, and personal gain. When comparing results with school students, the motivation to carry cyber attack was less varied and mostly perpetrated for the purpose of altering grades (28%, n=4), playing pranks (28%, n=4), and receiving personal benefit (n=3, 21%). 9 cases of grade manipulation among both group of students indicate that improving grades is important motivational driver for cyber attacks against educational institutions [70].

The majority of attacks carried by university students resulted from hacking (71%, n=10), including 1 harmless hacking, and 4 other attacks were enabled by either virus, malware, copyright theft, web site defacement, and phone fraud. Similarly attacks by school students were mostly the result of hacking (57%, n=8), however, there were more DDoS attacks in the mix (21%, n=3), and other unique types of attacks included single instances of deception, bug hunting, and cyber attack.

5 Discussion

Our analysis identified ransomware as the most common type of external attack carried against universities, and hacking for the purpose of personal gain as the most common form of internal attack. According to NCSC [6], attackers regularly exploit weak passwords, lack of multi-factor authentication (MFA), and unpatched vulnerabilities in software; they also often have previous knowledge of user credentials, which further aids the attack [6]. Recently, attackers would have sought to engage in sabotaging backup or auditing devices, encrypting entire virtual servers, and using scripting environments (e.g., PowerShell) to easily deploy tooling or ransomware [6].

We now proceed to discuss the insider threat posed by students worldwide, including detailed recommendations from the findings in the present study. This is followed by a discussion of the overall impact and mitigation of other threats faced by universities, including ransomware, phishing and malware. Additional recommendations are also compiled and compared with the latest JISC report. We then conclude this section by discussing strengths and limitation of the work.

5.1 Insider threat posed by students

In the educational context, students are a particular case of insiders who have been given unique privileged access to systems. Because of this trust and access granted, insider threats may manifest as either malicious, complacent, or unintentional acts that negatively affect the organisation and its assets, including information technology (IT), facilities, networks, or data, and resulting in various types of harmful acts - e.g., fraud, theft, sabotage, or violence [71].

Our analysis depicted clear differences between school and university students in relation to motivation and types of attacks carried, with some similarities including cases of grade manipulation. Both categories of students may present a serious threat, requiring complex, proactive and prevention-focused mitigation efforts. Students should be guided to act in the interest and benefit of the organisation, following insider threat programs that ’deter, detect, and prevent people from wrongdoing’ and when the harm has already been done, mitigate the impact(s) through appropriate management or enforcement actions’ [71]. Balancing focus, policy, processes, and messaging is important for universities to properly manage threats posed by students, which should be focused on defining who is posing the threat and in what capacity, including prioritising resources that need to be protected [71]. This is in line with our findings showing school and university students may be motivated by different values, with the exception of grade manipulation, therefore calling for tailored responses to insider threat.

Moreover, a study of 462 university students found substantial variations across overall cyber security judgment levels, judgement levels on different aspects of cyber security, and rational judgement competency [21]. Namely, 104 (23%) students showed the lowest correct judgements (the percentage correct below 50%), constituting the most risky group and the true weakest links that deserve special attention, as opposed to the average group (73%), showing the percentage correct between 56% and 90%, and the safe group (4%) for which the percentage correct was above 90% [21]. These three groups have been compared to students with disabilities, regular students, and gifted students in education [21], however, further research is needed to understand how and why the risky group has the lowest judgment level. Moreover, the overall 65% correct rate suggests students as a group have “some cybersecurity judgment knowledge rather than knowing nothing about it or having solid knowledge” [21].

Similar to this individual diversity, the weakest links in judging various aspect of cyber security include a) failing to report a potential cyber security breach in the computer system (as illustrated by a scenario in which a manager chooses to reenter the missing confidential information instead), and b) underplaying security risks. In contrast, the least challenging scenario with the highest correct rate concerns dealing with popups, showing students may have experience in encountering popups daily and know the potential danger [21]. Finally, since students’ rational judgment underperformed their intuitive judgment, the former which generally leads to better reasoning and decision making, this may indicate lack of strong scientific knowledge of cyber security stemming from inadequate education and training [21]. Universities should focus their resources on these three particular weakest links, providing special cyber security prevention and intervention programmes (i.e., formal or informal education and training to undergraduates) rather than lingering with the strongest links (i.e., dealing with popups).

Others found international students were significantly more susceptible to email scams than domestic students, as were first-year students compared to other years of study for reasons such as language barriers and differing experiences with cyber crime in the country of origin, respectively [27]. Greater training for international students and first-year students was proposed as a method to help mitigate cyber threats [27].

Students were also unable to reliably detect spear-phishing when emails used a strategy of authority, as opposed to using social proof, even though “the malicious link destinations were obviously unrelated to the content of the email” [22]. Moreover, those that could better weigh the consequences of immediate and future events were less likely to click on both phishing and spear-phishing links, meaning lower cognitive impulsivity may have overall protective effect against targeted, high effort attacks such as spear-phishing threats [22]. This is linked to what is known as dual processing models of persuasion assuming analytical (‘central’) and heuristics (‘peripheral’) modes of information reasoning that are at odds [72], and has direct training implications to defend against phishing attacks. Namely, since decision making styles can be modified [73], training people to defend against phishing attacks could focus on activating ‘central’ mode processing when people are judging emails [22]. However, more research is needed to confirm whether such intervention can improve phishing email discrimination [22].

Consequently, a one-sized fits all approach to training and education may not be an engaging way for students to increase their cyber security awareness and ultimately reduce the risk of human factors for universities. On the other hand, well-designed courses that follow internationally recognised frameworks could further improve the reception of cyber security awareness [29].

5.2 Impact and mitigation of other threats

Ransomware attacks can have devastating operational, reputational, financial, and psychological effects, e.g., in terms of recovery time needed to reinstate critical services or becoming subject to intense media coverage and scrutiny. Reputational damage can be particularly problematic given over 50% of university income in the sector is derived from tuition fees and 65% of students would not apply to a university with a reputation for poor cyber security [51].

Moreover, once a cyber attack becomes publicly known, universities are often given high fines and further disciplinary actions to comply, as was in the case of a university which accrued a £120,000 ICO (Information Commissioner’s Office) fine [74], and another which was given 144 ICO recommendations, including the recommendation to remove the chair of the university’s data protection privacy group [75].

There can be an impact on staff at targeted institutions which can include financial losses, loss of employment, emotional impacts, health problems, impact on family relationships, self blame and behavioural changes [76]. Feelings of fear, anger, distrust and helplessness may be intertwined with guilt and shame felt by the victims, giving rise to significant short- and long-term effects of depression, panic attacks and post-traumatic stress disorder [77]. For example, the cyber attack at the University of Greenwich and the University of Lancaster caused significant distress to staff and students alike, as 21,000 records were posted online [74] and fraudulent invoices were sent to undergraduate applicants [78].

To mitigate against ransomware, organisations should implement a ‘defence in depth’ strategy, including having effective vulnerability management and secure Remote Desktop Protocol (RDP) services in place, constraining scripting and macros, and exercising ransomware response regularly [51]. Backups of important data are crucial for quick recovery in the event of disaster, and it is recommended that educational institutions should have at least three backup copies of important data, on at least two separate devices, of which at least one must be off-site [79].

In addition to detrimental effects of ransomware, other types of cyber crime impose their own set of challenges. For example, phishing attacks may result in ‘payments to a fraudulent recipient, the loss of a victim’s login credentials, or nefarious malware spreading throughout the university network’ [51], whereas malware ‘may be designed to enable the theft of information, provide the attacker with long-term access to a system, or render machines and data inaccessible, until a payment is made’ [51]. Mitigation should include both good security awareness among staff and students, and strong access and authentication controls, e.g., via security-conscious policies [51].

However, psychological traits and individual differences among computer system users can further explain vulnerabilities to cyber security attacks and crimes, as cognitive biases and impaired brain health can make individuals more susceptible to exploitation by cyber criminals [80]. For example, specific psychological vulnerabilities are being targeted in online communication to exploit human factors, e.g., by using time-limited responses to enact peripheral information processing and therefore limit the amount of deliberation [76]. Risk taking and low self-control are also important personality factors predicting Internet fraud victimisation [76]. It is therefore counterproductive to implement security countermeasures based on procedures and policies without considering human behaviours [81].

5.3 Additional recommendations

The 2022 JISC posture survey suggested five equally important aspects to reduce and manage cyber security threats, including leadership, technical basics, awareness and training, certification, and cyber insurance [7]. Our case studies reinforce these findings outlining that cyber security training should be made mandatory for both the staff and students, followed by regular refresher training. Moreover, communicating regularly with staff and students regarding cyber security helps to embed a cyber security culture. The majority of students appear not to be receiving cyber security training at universities. Such training is useful for society when students graduate and enter the working world, whilst compromise of student accounts can still lead to escalation by cyber threat actors. Sometimes postgraduates have access to some resources and databases that staff do, i.e. for teaching purposes. Therefore, postgraduates should be treated the same as staff members.

This obligatory training should be supplemented by a culture of directing people to appropriate resources instead of using links and attachments within emails. This is because credentials are usually stolen or malware is installed through clicking on such links or downloading attachments. If links and attachments were not included in emails, and it was normalised that university staff members, in particular IT and cyber security teams and those that hold senior positions, do not engage in such practice, this could potentially limit effectiveness of authority-type spear phishing. Cyber security policies already in place should be assessed using an international standard, such as the ISO 27000 series, to identify and fill any gaps, i.e. robust disaster recovery plans and data backup policies. An overarching information policy should bring together all the requirements, standards and best practices that apply to the handling of information to provide a robust governance framework for information management across the University.

5.4 Strengths and limitations

Although a wealth of academic literature exists on the use and nature of cyber attacks, we believe this is the first review of cyber threats in the education sector, focusing on insider threat posed by students worldwide and offering advice and guidance as complied from identified sources in addition to our own recommendations. The novel timeline of key cyber attacks is provided with detailed temporal representation of the chain of key cyber attacks, aiding an understanding of how institutions were exploited and impacted by cyber crime, and supplemented with the list of attacks carried by students against their home universities, colleges, or schools to help frame the discussion of insider threat.

Despite these advantages, the work is not without its limitation. First, our sample size is small and based on published incidents. There are probably many more unpublished incidents and more data can help strengthen this research. Also, in some cases the data about specific characteristics of attack was not available to the authors. Lastly, the cyber attacks may have involved multiple attack elements, e.g. a ransomware attack may have involved phishing, and a DoS attack before the ransomware was activated, but our data does not gather this level of granular detail.

6 Conclusion and future works

The analysis presented in this paper is the first review of cyber threats in the education sector, providing a novel timeline of cyber attacks. Our analysis showed that many universities were hit by ransomware of which the leading causes were spam and phishing emails. Further, possible causes of internal attacks carried by students were also highlighted, the management of which should be focused on preventing hacking; however, additional tailored responses may be required as university, college, and school students appear to be motivated by different values, as well as the provision for awareness training two to three times per year and suitable technological protection measures to supplement. Without this, criminals will continue to successfully target the human element within organisations, exploiting human psychology and error.

Future studies could build upon the timeline, including conducting surveys/interviews with institutions to find details of attacks they are willing to divulge that have not been covered in literature or news. We also plan to examine links between university security policies and their history of cyber crime attacks, as we expect that universities with weak policies in place may be more vulnerable to attacks. We will investigate whether this is indeed the case and whether a predictive model can be used to confirm such relationship. Finally, as different factors may be relevant to the reporting decision for different businesses, it would be interesting to further explore cyber crime reporting by universities, including better understanding of how financial and reputational risks may influence the decision to report cyber crime.

Table 2: A timeline of cyber attacks that have compromised UK universities.
ID Date Target Perpetrator. Attack type. Impact. Motive Description Impact Ref
1 11 Feb 1988 Millions of internet users S.D.A.P Robert Tappan Morris, a graduate student from Cornell University, created a virus intended to be fun. The worm was launched from MIT. Morris was charged under the 1986 Computer Fraud and Abuse Act. in 2006, Morris became a tenured professor at MIT. 6,000 of the then 60,000 computers connected to the internet were attacked, access made temporarily unavailable. [82]
2 02 Feb, 2000 eBay, Amazon, CNN, Dell, and Yahoo S.D.A.P A Canadian high school student referring to himself as MaffiaBoy launches a DDoS against eBay, Amazon, CNN, Dell, and Yahoo. Receives 8 months open custody. $1.2 Billion of damage [83]
3 19 Jun 2008 Tesoro High School, USA S.H.I.G 2 high school students hack school computer to change their own grades charged with 69 felonies including 34 counts of altering their own grades and those of others [84]
4 02 Oct 2012 Multiple* H.I.C.F Team GhostShell – a hacktivist group – runs its’ Project Hellfire campaign. Uses SQL injection attacks and targets weak passwords to steal email addresses, passwords, IDs, and the names of staff and students from universities across the globe in its. Data is made public in Project WestWind. Personal information and credentials of students and staff stolen and posted online. [85, 86, 87]
* University of Cambridge; Imperial College London; University of Edinburgh; Manchester University; University of Nottingham; University of Sheffield.
5 14 Jun 2013 University of Purdue S.H.I.G Three students hacked into Purdue professors’ university accounts and changed at least three dozen of their own grades Personal grades altered [88]
6 05 May 2014 Miami-Dade County Public School S.H.I.G Student hacked into grade system and changed his own and 4 other student grades Personal grades altered [89]
7 12 Jan 2015 University of Queensland U.H.I.G Student hacked the University grade system and altered his grades Charged with 14 offences which included forgery, impersonation, and using a restricted computer without consent [90]
8 23 Apr 2015 University of Birmingham U.H.I.G Student used keylogging software to steal passwords, log onto examination systems, and up his grades, for example, one from 57 to 73%. Charged under the computer misuse act, jailed for four months [91]
9 21 May 2015 University of London Ω\Omega.D.A.Φ\Phi DDoS attack launched just before students sat their finals. Moodle inaccessible for over four hours. [92, 93, 94]
10 07 Dec 2015 Multiple universities (unspecified) H.D.A.Φ\Phi A DDoS attack was launched on the Janet network, which impacted the majority of UK universities. The cyber criminals adjusted their point of attack based on Jisc’s Twitter updates informing universities of their progress to stabilise the network. Attack lasted four days. Eduroam Wi-Fi network disrupted (no Wi-Fi access); access to .ac.uk domains disrupted (websites down). [95, 96, 97]
11 15 Jan 2016 University of Georgia U.H.I.P Student at Georgia tech hacks rival university website and alters content Charged with computer trespass, asked to apologise and perform community service [98]
12 13 to 17 Jun 2016 University of Greenwich Ω\Omega.H.C.Φ\Phi Cyber criminal - claiming to be disgruntled former student - gain full control of the database structure and data. Data for 21,000 people were stolen and put on the dark web, including data on full names, contact details, and physical and mental health issues. University website defaced. Stolen files posted on dark web. Significant distress caused to students and staff members. ICO investigation reports serious breach and fines £120,000. [99, 100, 101]
13 Dec 2016 Multiple universities*. H.I.C.F Russian-speaking hacker Rasputin performs SQL injection attack on at least 60 global university and government organisation web sites. Access credentials sold on Darkweb. Databases containing personal information compromised. [102, 103, 104]
* University of Cambridge; University of Oxford; University of Chester; University of Leeds; University of Glasgow; University of the Highlands and Islands; University of the West of England; University of Edinburgh.
14 11 Jan 2017 University of Iowa U.H.I.G Student changed his grades more than 90 times in 21 months having gained access to the system through a keylogger which stole the user if and password of staff. Charged with federal computer-hacking charges [105]
15 11 Aug 2017 Singapore Management University U.H.I.G Student hacked into University computers, altered his final examination grade from D+ to B, final overall grade from B to A- and downgraded the grades of other students. Charged with the Computer Misuse and Cybersecurity Act and sentenced to 16 weeks jail [106]
16 Nov 2017 University of South Wales U.K.I.F Student used USB devices to install key logging software on university computers, which he used to obtain login details of 35 university staff members over an 18 month period. Five systems were compromised, including the system used to store exam papers, coursework, and marking. Stolen papers were sold to students. Hayder receives a 20 month jail sentence [107, 108, 109]
17 03 Dec 2017 Tenafly High school (New Jersey) S.H.I.G High school student hacks into school student system, changes grades, and submits an Ivy league application Personal grades altered [110]
18 2017 unnamed US university Ω\Omega.P.I.F University paid $1.9m into a cyber criminal’s bank account in response to a fake invoice Loss of revenue [13]
19 02 May 2018 Various US organisations U.H.C.Φ\Phi Student faced extradition and charges under the US Computer Fraud and Abuse Act (CFAA) in the USA due to having hacked various organisations in the US including including the Federal Reserve, Nasa, the Department of Energy and the FBI. His extradition was blocked by UK courts. Extradition requests filed but blocked by UK courts. Student, having previously studied at the University of Nottingham, then Glasgow, moved on to study at the University of Suffolk before becoming an advisor on computer security systems for Hacker House. [111]
20 14 May 2018 Ygnacio Valley High School in Concord S.H.I.G Student altered his own grades, and reducing the grades of others. Charged with 14 felonies [112]
21 May 2018 Multiple universities (unspecified) H.P,M.C.F Spear-phishing emails sent as part of the STOLEN PENCIL campaign containing a link that would download a malicious Chrome extension, leading to credentials being stolen largely from biomedical engineers. University login credentials compromised. IP exfiltrated. [113, 42, 114]
22 Aug 2018 Multiple universities (unspecified) H.P.C.F Academics and students at multiple unspecified UK universities were targeted by the ‘Silent Librarian’ campaign. Phishing emails, often spoofing a university’s library with stolen branding, would direct people to a login page on a false domain that harvested login credentials. After submitting credentials, victims are redirected to their actual university library page, often leaving no indication that information had just been phished. University login credentials compromised; valuable research stolen. [115, 116, 117]
23 11 Sep 2018 University of Edinburgh H.D.A.Φ\Phi The university’s campus network was hit by a DDoS attack during its Freshers’ Week when hundreds of new undergraduates were starting their courses. University’s website, wireless connections, and other student services down for over 24 hours. [118, 119, 120]
24 2018 to 2019 unnamed 144 US and 176 non US universities H.P,M.C.F Cybercrime group launches the silent librarian attack Theft of around $3.4 billion worth of IP, 31.5 TB of data, and compromised 7,998 university accounts. [13]
25 03 Aug 2019 Tufts University, USA U.H.I.G Student expelled on accusations of hacking the university grade system and altering her own grades. Notably, the charges were never proven or seemingly, properly investigated. Personal grades altered [121]
26 05 Aug 2019 Encore Junior and Senior High School for the Arts, USA S.H.I.G 15 year old student hacked into networks to alter his own grades. Charged with computer intrusion. [122]
27 06 Aug 2019 Donald Trump S.H.C.P 2 Students hacked into Donald Trump’s tax records. Charged under unauthorized computer access act [123]
28 09 Aug 2019 Blackboard VLE S.H.CI.Φ\Phi US high school student, hacked Blackboard because ‘he was bored’. Student discovers test grades, medical records, café balances, cryptographically hashed passwords, and photos. He reports the bugs to Blackboard who addressed the bugs imminently. Student was suspended for 2 days but no legal action was taken. [124]
29 17 Dec 2019 High School in Maryland S.H.C.Φ\Phi A high school student hacks into school network. Maintains access for over a year to a high school IP TV network and around 5,962 student records. Eventually the student disclosed himself to the school IT department. No sanctions were applied as the student disclosed himself. [125, 126]
30 2019 The University of Warwick H.H.CI.F Cyber criminals exploited a remote-viewing software that had been installed by a staff member to gain access to the administrative network. An internal report was unable to identify what data had been stolen due to the state of cyber security protections that had been in place. University suffers multiple data breaches; Sensitive information on students, staff, and volunteers for research studies stolen; ICO investigation that made 144 recommendations including 23 that were classed as urgent; ICO recommended the removal of the chair of the university’s data protection privacy group. [9, 127, 128]
31 19 Jul 2019 Lancaster University H.P.C.F The university was exploited by a phishing attack, although further details on the attack are unavailable. Names, addresses, phone numbers, and email addresses were stolen from undergraduate student applicant data records. Student records and ID documents were stolen from the student records system. Fraudulent invoices demanding large amounts of money sent to some undergraduate applicants; distress to students affected. [129, 130, 78]
32 31 Jul 2019 University of York Ω\Omega.Θ\Theta.C.Φ\Phi A “malicious data breach” was reported, although further details on the attack are unavailable. Perpetrator accesses the administrative records of 88 students and views private data. Further data on 4,440 students were downloaded. [131, 132, 133]
33 Aug 2019 Multiple unnamed universities H.PM.C.F Second wave of the Silent Librarian campaign targeted multiple unspecified UK universities once more, with minor variations to the social engineering techniques and infrastructure used in the previous year. University login credentials compromised; valuable research stolen. [134, 135, 136]
34 2019 Unnamed UK university Ω\Omega.Θ\Theta.C.Φ\Phi Cyber attack Breach of around 4,100 student records. [13]
35 2019 unnamed UK colleges and service providers Ω\Omega.Θ\Theta.A.Φ\Phi Cyber attack Attack impairs system access for college and their staff. [13]
36 2019 Maastricht University H.R.A.F Ransomware attack launched on University University believed to have paid a ransom of around £230,000. Recovery effort involved multiple departments and teams. [13]
37 May 2020 Cloud software provider Blackbaud H.R.A.F Blackbaud provides services for a number of UK universities*, suffered a ransomware attack. They prevented clients being locked out of their own data and servers by paying the ransom. However, the cyber criminals extracted a copy of a subset of data. Some financial data and passwords were stored in cleartext. Personal data of staff, students, alumni, and supporters stolen; bank account information compromised; user passwords compromised. [137, 138, 139]
* Impacted HEIs included: Birmingham, De Montfort, Strathclyde, Exeter, York; Oxford Brookes, Loughborough, Leeds, London, Reading, UCL, Oxford
38 11 May 2020 The University of Edinburgh H.H.A.F The ARCHER supercomputer was infected with cryptocurrency mining malware. It was exploited through compromised SSH credentials. Supercomputer used to mine cryptocurrency for criminals; supercomputer shut down for several days. [140]
39 28 Aug 2020 Northumbria University H.R.A.Φ\Phi Cyber criminals infiltrate the university’s networks, steal data, and encrypt machines before demanding a ransom payment. University’s clearing service unable to take calls; exams postponed; campus closed for seven days; students unable to access their online student portal or other platforms. [140, 141, 142]
40 Aug 2020 Unnamed UK college Ω\Omega.Θ\Theta.A.Φ\Phi Cyber attack launched on results day Students cannot access results online, results must be emailed out [13]
41 03 Sep 2020 Florida school district S.D.A.Φ\Phi 16-Year-Old Arrested after eight DDOS attacks on the School’s Online Learning Systems. Charged with “computer use in an attempt to defraud” [143]
42 04 Sep 2020 Newcastle University H.R.A.F DoppelPaymer steals university backup files, encrypts systems, and threatens to release the data unless ransom is paid. Data included a full list of students, their departments, courses, and student numbers, and home addresses, phone numbers, and personal email addresses for students. Stolen files posted online; many university IT systems not operational for weeks, including relating to timetabling, building access, and smartcard issuing. [144, 145, 146]
43 Sep 2020 Multiple universities* H.PM.C.F Third wave of “Silent Librarian” campaign University login credentials compromised; valuable research stolen. [37, 39, 147]
* Glasgow Caledonian University; University of Bristol; University of Cambridge; University of York; University of Kent; King’s College London; Queen Mary University of London; University of Lincoln
44 03 Oct 2020 Nanyang Technical University U.H.I.F Student hacked into stored value card for hostel pre-paid SIMS, air conditioning, food, drinks and cigarettes. Stole $34,000 worth of items, and causing $80,000 worth of damage. Tee was charged with the Computer Misuse and Cybersecurity Act and sentenced to 10 months jail [148]
45 13 Dec 2020 London Southbank University (LSBU) Ω\Omega.D.A.Φ\Phi Cyber attack disables Moodle, student hub and other university systems. Students unable to access Moodle, their student hub, recorded lectures, or academic resources for over a month; University-wide institutional login systems down. [149, 150, 151]
46 13 Feb 2021 The Chancellor, Masters and Scholars of the University of Oxford H.Θ\Theta.I.F Cyber criminals exploit a poorly secured server in the Strubi labs to gain access to lab equipment, pumps and pressure tools. Biochemical preparation machines compromised; Cyber criminals attempted to sell access to the lab’s systems. [152, 153, 154]
47 24 Feb 2021 Queen’s University Belfast (QUB) Ω\Omega.Θ\Theta.A.Φ\Phi Systems targeted in cyber attack, full extent does not appear to have been revealed, but institution disabled access for staff ‘as a precaution’. Regular outages still occurred in some university systems three months after the incident, causing delays across the university; Health Trusts disconnected a number of services connected to QUB, and stopped accepting messages from QUB email addresses, disrupting communication between staff and students working on wards or other trust settings. [155, 156, 157]
48 05 Mar 2021 University of the Highlands and Islands (UHI) H.R.A.F Cyber criminals from eastern Europe or the Baltic region launched a ransomware attack using various malware components including Cobalt Strike and Ryuk. Student and staff services disrupted, including the remote access platform to network drives, files and applications, and printing services; facilities closed for a day; systems such as administration and accounting still impacted several months on; system re-build required. [158, 159, 160]
49 17 Mar 2021 University of Northampton H.R.A.F A ransomware attack at the university caused serious server problems, with phone lines and IT systems taken down. Six-day outage of IT, telephone, and server networks; students unable to access study materials for on-campus and online induction; access to online teaching disrupted; email systems unavailable. [161, 162]
50 13 Apr 2021 University of Portsmouth H.R.A.F Ransomware caused disruption to IT services, with technical disruption continuing over a couple of weeks. University campus closed for over a week; start of new term delayed; key IT systems taken offline; staff and students unable to log onto network. [163, 164, 165]
51 14 Apr 2021 University of Hertfordshire H.Θ\Theta.A.Φ\Phi The university experienced a cyber attack that impacts several systems including those in the cloud. Large parts of the network are disconnected; access to cloud-based services, including Canvas, Office 365, MS Teams, and Zoom, blocked; all online classes cancelled; VPN, data storage, and email access all offline. [45, 68, 69]
52 14 May 2021 Glasgow Caledonian University H.Θ\Theta.A.Φ\Phi Cyber attack impacts university systems. Still not clear what happened. However, the university suggested that systems were closed down as a precautionary measure. [166]
53 09 Jun 2021 Lay public U.E.C.G Teeside student, poses as Amazon tech support and cons an elderly woman out of £40,000. 5 month jail sentence [167]
54 09 Oct 2021 University of South Wales U.H.I.F Student hacks university system and makes £20k selling exam papers, housemate finds students willing to buy the exam papers. First student makes £20k in sales, jailed for 20 months, second student receives suspended 9 month sentence. [168]
55 12 Oct 2021 University of Sunderland H.Θ\Theta.A.Φ\Phi A cyber attack affects university systems. University website, IT systems – including the university’s records systems – and telephone lines disabled. Online classes cancelled, processing of marks and awards delayed, staff members had difficulty accessing their emails. [169, 170, 171]
56 15 Mar 2022 Heriot-Watt University H.M.A.Φ\Phi The university was breached with a malware attack on its VPN, which led to on-premises infrastructure being taken down for over a week, including access to the VPN for remote login, Oracle R12 finance systems, staff shared areas, and some staff and student directories. All users of systems had to be moved to alternative systems. Remote learning was hampered for over a week. [172, 173, 174]
57 09 Sep 2022 HS. Examinations department in Sri Lanka S.H.I.G An unnamed Information and Communication Technology student steals the results of 270,000 A-level students, and enables access to them through his own web portal. Confidentiality breach [175]
58 16 Sep 2022 Escambia County School District, USA O.Θ\Theta.I.G Daughter and mother - were accused of rigging the homecoming queen crown by using her mother’s account to cast fake votes. The charges were challenged by daughter and later dropped. Integrity breach [176]

.

References