A web server set up by an enterprising student for a conference in 2004 and then forgotten about has left the University of Greenwich nursing a £120,000 ($160,000) fine from Britain's Information Commissioner (ICO).
Forgetting about a web server isn't generally a good idea, but this was a particularly dangerous oversight because it had been linked to a database containing the personal data of 19,500 University staff, students, alumni, and conference attendees.
The data also included more intimate personal data of 3,500 people covering learning difficulties, staff sickness, food allergies, and extenuating circumstances put forward by students during their studies.
You can probably guess where this is heading – eventually cybercriminals chanced upon the forgotten server and did their worst.
-- submitted from IRC
(Score: 0) by Anonymous Coward on Friday May 25 2018, @07:55AM (5 children)
Who payed for if all those years?
(Score: 0) by Anonymous Coward on Friday May 25 2018, @08:34AM
The university. The Computing and Maths School has a facility for creating "microsites", which they apparently didn't bother monitor or clean up.
(Score: 4, Informative) by MostCynical on Friday May 25 2018, @09:06AM
http://www.internetlivestats.com/total-number-of-websites/ [internetlivestats.com]
Many websites are small, especially some of the old ones http://mentalfloss.com/article/53792/17-ancient-abandoned-websites-still-work [mentalfloss.com]
http://www.404pagefound.com/ [404pagefound.com]
With minimal visitors, and therefore low bandwidth, lots of these wouldn't be noticed, even on corporate domains.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by Justin Case on Friday May 25 2018, @02:20PM (2 children)
Taxpayers of course. They never run out of money.
(Score: 2) by PiMuNu on Friday May 25 2018, @04:19PM (1 child)
What costs? Electricity is not expensive.
(Score: 2) by Justin Case on Friday May 25 2018, @06:17PM
So in your world, $Small_Number == zero?
Remind me not to let you write code for anything beyond your basement.
(Score: 5, Interesting) by theluggage on Friday May 25 2018, @08:59AM (2 children)
The coverage of this story is really starting to annoy me. What gets reported:
University fined £120,000 after student 'microsite' is hacked
The important story (if you follow a couple of links):
University negligently stores 20,000 highly sensitive staff/student records on a server that is also running public websites
(Apparently, this wasn't just your garden variety mailing list, but included some highly confidential data about educational special needs, medical issues and family background etc.)
A university needs to be able to let academics disseminate their work (that's what the WWW was originally created for - it may be used for other, bigger, things now but the original application hasn't gone away), IT students to run projects etc., but they also need to handle quite sensitive information on students, research subjects etc. There should be a huge, stonking, brick shithouse firewall, preferably literally as well as figuratively, between the two. The university IT department needs to provide two things - a secure, corporate business system for admin, student records and sensitive research subject data and an Internet Service Provider for academics and students. Those two things should definitely have separate servers and, preferably, separate management cultures.
Sometimes, a proliferation of "shadow IT" projects is a sign that the official IT systems aren't providing the facilities that staff need to do their jobs.
I fear that the response of many institutions is going to be "close down the microsites" (which they'd like to do anyway so that they can impose corporate identity policy on everything) rather than "why aren't our academic microsites running from individual VPSs on separate hardware in a separate security zone?")
(Score: 0) by Anonymous Coward on Friday May 25 2018, @02:41PM (1 child)
Europe can try to microregulate its way to happiness, but academics there may have to start setting up conference servers in the land of the free to avoid the expense of this compliance regimen.
Or go back to mailed letters among the program committee. As with most things coming out of the EU, GPDR is a major impediment to getting things done for the individual, and a simple expense for massive corps who can just pass the cost down.
(Score: 3, Insightful) by theluggage on Friday May 25 2018, @04:09PM
As I said - the problem is not the academics' conference servers (worst case: individual sites get defaced and malware'd and have to be deleted) its the confidential staff and student records that shouldn't have been on the same server in the first place.
Anyway, doesn't matter where the server is located if the data is about EU citizens and you don't want to get banned from doing business in Europe or other countries that value their trade with Europe (about the only thing that is certain about Brexit is that we're stuck with the GDPR).
The difference between Europe and the Land Of The Free(c)(r)(tm)(pat. pending) is that, if 20,000 sensitive personal details leak onto the internet, instead of getting fined $200k by some eeeevil liberal-infested gubment agency you just get hit with a $1m class-action lawsuit that wlll cost you $200k to fight, even if you win.
Still covered by GDPR...
Doesn't have to be unless the ICO goes insane and starts "soft-targetting" small fry.
See this BBC article [bbc.co.uk] which includes some rather more conciliatory comments from the ICO and lawyers as a counter to some of the FUD flying around. TLDNR: a lot of companies and institutions are overreacting. Quote:
I think the worst hit are going to be staff in big institutions like universities - and small companies doing business with them* - who might be saddled with over-cautious one-size-fits-all institutional rules that don't distinguish between promoting an academic conference and interviewing 8-year-olds about gender identity issues.
(* not many of those left, thanks to the EU rules**1 on "competitive tendering" that are so onerous that public institutions end up signing single-supplier agreements with a few big players)
(** or rather, one should always add the qualifier, "EU rules as gold-plated by the UK government and then interpreted by the Institution in the way that will justify the greatest expansion of the procurement department")
(Score: 2) by looorg on Friday May 25 2018, @10:48AM (5 children)
It took them, the crooks, 12 years to find it? Really? As I recall from working in university IT we where constantly be scanned and probed. As an experiment we put up some unsecure servers and workstations just to see how long it would be before someone compromised them -- it was an hour or two before it had been turned into some sort warez distribution point.
Forgetting about an entire physical server sounds a bit much these days, I can understand if you forget about a virtual one. But then sure, nobody might have known what that machine in the corner was doing and nobody dared to remove it -- after all it might be running something really important. But then it would probably have been part of the documentation, or at least have a big post-it note on it saying DON'T TURN OFF or something.
(Score: 4, Funny) by Dr Spin on Friday May 25 2018, @03:51PM
But then it would probably have been part of the documentation, or at least have a big post-it note on it saying DON'T TURN OFF or something.
You must be new here: that is not how we do things on planet Earth.
Warning: Opening your mouth may invalidate your brain!
(Score: 2) by sjames on Friday May 25 2018, @07:08PM
For your consideration [theregister.co.uk].
(Score: 0) by Anonymous Coward on Friday May 25 2018, @10:50PM
This story reminded me of a story from last century.
A Novell server at the University of North Carolina was in a closet and some drywall guys sealed off the opening to the closet. [google.com]
4 years later, the IT staff figured out what had happened.
In the meantime, there had been no ill effects reported.
-- OriginalOwner_ [soylentnews.org]
(Score: 2) by kazzie on Saturday May 26 2018, @05:33AM
No, it took the university 12 years to find. Best guess is that the hackers had gotten in 3 years before that.
(Score: 0) by Anonymous Coward on Sunday May 27 2018, @03:37AM
I have seen something like this. At a top E-commerce company headquartered in the Pacific Northwest... True story.
Behind our work area, in a little nook created by cube walls and a support pole, were four tower computers. All running. And not related to any group, people or work going on across the floor of the building. I was curious and asked around if anyone knew what they were doing. No one knew. They stayed up and running for two years. When we had a power outage one day, I decided to do a "scream test", and unplugged all four computers while the power was out on the floor. The power came back up, and we waited. And waited. And waited. Nothing. These had been running for 2+ years and nothing happened when they were shut down. We left them there turned off. When the building was vacated in a move to a new campus, they were left behind and someone scrapped them.
These were on the internal network, so not externally exposed. But, today, with AWS/EC2, I can see a virt or two running, on an internal AWS account, that has been similarly lost and continues to run without anyone's knowledge.
(Score: 3, Insightful) by VLM on Friday May 25 2018, @01:07PM
Reading between the lines, I think decades ago they set up LDAP access for SSO or similar, and either their LDAP is full of stuff it shouldn't have since before then, or they kept adding stuff to their LDAP since then.
None of it individually sounds like something you'd want to keep out of LDAP. So you're a vegan why not put that in LDAP so when you sign up for a conference the caterers get an automated report of how many vegan meals to order vs gluten free? Or by extenuating circumstances of withdraw from classes, you mean LDAP had a field where the registrar can let the dorm department know to allow or forbid dorm rental based on reason for withdrawal which doesn't sound too awful. Its only when you give someone total access to the entire DB for all users all the time that it gets kinda iffy.
You do realize of course that every uni employee and government employee and corporation already has access to all that data and more; the only scandal is theoretically your next door neighbor could now know. Thats what privacy has come to in the modern world, everyone knows everything about everyone except really small scale stuff like I don't have the goods on my next door neighbor, although everyone else does.
(Score: 2, Funny) by shrewdsheep on Friday May 25 2018, @04:07PM
https://www.theregister.co.uk/2001/04/12/missing_novell_server_discovered_after/ [theregister.co.uk]
(Score: 4, Insightful) by bob_super on Friday May 25 2018, @05:28PM
> Site forgotten for 12 years...
What's the uptime of your latest-fancy-framework-with-blank-space atrocity, bitches ?
(Score: 4, Insightful) by RedIsNotGreen on Friday May 25 2018, @08:46PM
http://qdb.us/5273 [qdb.us]
<erno> hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is.