‘Lessons learnt’ from the Maastricht University cyber attack

United KingdomScotland

On 23 December 2019, Maastricht University found itself the victim of a significant cyber attack, which resulted in cyber criminals taking some of its data hostage. A management summary of what happened and the lessons to be learnt from it was published on 5 February, and serves as a reminder of the risks posed by cyber security threats, particularly to higher education institutions.

Maastricht University (MU) was the subject of a significant malware attack on 23 December 2019. The attack affected 267 of the university’s 1647 servers, and focussed on encrypting Windows data. It also affected the back-up of some systems. It threatened the university’s ability to welcome back its 19,000 students after the Christmas break, and put in jeopardy exams arrangements for 6,000 students. The attack obviously had a significant impact on education and research, and restoring services to students, academic staff and support staff was the Crisis Management Team’s priority. In some respects MU were lucky, because they had crisis management protocols in place and had previously participated in crisis simulations.

Throughout the period of recovering from the incident – a process which is on-going - MU took a transparent approach to reporting events. This included posting regular updates, and culminated, on 5 February 2020, with a symposium and the publication of a management summary of its IT consultant’s report and its response to that report, to provide a candid insight into what happened and the lessons to be learnt from it.

The ‘lessons learnt’ include:

  • Improving awareness of risks amongst users (MU learned that “about 20% of users open so-called ‘phishing emails’”), and the training and tools available for Service Desk staff;
  • Technical measures, including more accurate software updates; closer monitoring of the use of domain administrator accounts; stricter segmentation of the network; and 24/7 monitoring of cyber threats by a Security Information and Event Management team (SIEM) and/or Security Operations Center (SOC) to monitor threats, advise on security, detect actual threats, and intervene when necessary.
  • Double back-ups – the attacker in the MU incident was able to encrypt MU’s online back-ups from a few critical systems.

Many of the specific solutions identified by MU and their IT consultants will be specific to MU’s own systems and the identified weaknesses in them. However, the ‘lessons learnt’ flag once again a common and perennial issue, which is the need to address both human and technical vulnerabilities in order to mitigate cyber risk.

Many organisations who have suffered a cyber attack of the severity experienced by MU, do not proactively publicise the details quite as openly as MU chose to, no doubt in order to minimise the ‘noise’ made and the risk of criticism, claims and reputational damage. MU’s stated reason for having provided this ‘lessons learnt’ of the incident, is so that it may “play its part in increasing digital security”, which “in the increasingly intensive fight against cyber insecurity” it regarded as its “social duty”.

MU stressed that higher education (HE) institutions were “no exception to this picture of vulnerability”. In fact, the picture painted by the summary was of the HE sector being particularly vulnerable to cyber insecurity. This was said to be on account of the openness which is in the very nature of educational institutions, where students and academia should be able to share information in a global environment and participate in different communities, and where students bring their own devices, making it far harder to strike the right balance between digital security and the inherent openness of educational institutions.

Data breaches are now in the headlines on an almost daily basis. Those incidents that are large or significant enough to make the headlines are, however, only the tip of the ice-berg, and we know that even the smaller, less-publicised cyber incidents have the potential to cause an organisation significant disruption of operations, damage to reputation, and the risk of fines and losses. As MU stated in the published management summary of their own recent incident, “100% security does not exist” and HE institutions “are no exception to this picture of vulnerability”. Preparation continues to be key to an organisation identifying and addressing areas of weakness in their systems (technical and human), as well as to ensure that when they occur thorough processes are already in place to resolve cyber incidents swiftly and effectively, minimising the risk of potential losses, fines and reputational damage.