Hackers accessed the University of Warwick’s administrative network last year in an attack which has been kept secret from the affected individuals and organisations, Sky News has learnt.
The security incident occurred when a staff member installed remote-viewing software enabling hackers to steal sensitive personal information on students, staff and even volunteers taking part in research studies.
Because cyber security protections at the university were so poor, as per the findings of an internal report revealed by Sky News earlier this month, it was impossible for the university to identify what data had been stolen.
Several sources have told Sky News this was one of multiple data breaches which have taken place at Warwick, which regularly receives more than £120m in research grants each year.
Warwick’s registrar and executive lead for data protection, Rachel Sandby-Thomas, who is ultimately responsible for IT services, did not inform any of the individuals or research bodies whose data was stored on the administrative network about these breaches or the risks they were exposed to.
The university declined to respond to this point when it was put to them.
An executive summary of another audit – this time by the data protection watchdog, the Information Commissioner’s Office – was published in March, providing the first mention of these security risks which either students or staff had heard about.
Sky News has learnt that during the final meeting concluding the ICO’s audit, the regulator recommended that Ms Sandby-Thomas should be removed as chair of the university’s data protection privacy group (DPPG), saying it should instead should be chaired by someone with data protection expertise.
The university told Sky News: “The registrar fully agreed with the report’s finding that we should give those areas of responsibility to someone with a specialist skill set and experience.”
Despite not having this “specialist skill set and experience”, Ms Sandby-Thomas had been the executive lead for IT and data protection at the university since 2016 – a period during which multiple security incidents occurred.
After the recommendation was made that she stand down from chairing the DPPG, the registrar disbanded the committee.
The university confirmed: “As previous structures clearly did not deliver all the change and improvements we had sought in this area, it is no surprise that we also sought to change and improve these structures.
“We have therefore introduced two new committees to provide enhanced oversight and advice which bring in a wealth of talent including one of Europe’s leading cyber security professors.”
A new chief information and digital officer, who reports directly to the vice chancellor, has also been hired.
The university told Sky News: “We have also unsurprisingly, and for the same reasons, made changes to the operation and focus of the management and administrative team for that area of work, but all of those staff remain employed by the university.”
The tense of the phrase “remain employed” is significant, according to multiple sources at the university who say staff have been informed of an ongoing restructuring, and expect this to involve redundancies.
Sky News has seen an internal email featuring the registrar joking about the cyber security audit, telling staff it was “tomato coloured” and dismissing their potential interest in knowing whether their data was at risk by saying: “If I told you what, I’d have to kill you.”
In the same email, the registrar acknowledged that she attempted to refuse to allow the ICO to conduct its voluntary audit until she was informed that the alternative to a voluntary audit was a “compulsory less friendly one”.
The university said: “The registrar’s comments simply confirmed and supported the more formal communications to staff that there were a number of areas, in both our own analysis and the ICO audit, that clearly should be red flagged.
“They also confirmed the ICO’s and our own assessment that only the summary audit report should be public as the publication of the full report could potentially undermine the work to implement its actual recommendations.”
But the risks to student and staff data, as highlighted by multiple data protection incidents, were not made public as part of the summary audit report.
Sources at the university told Sky News they would like the council to hold an independent investigation into the executive lead’s handling of these incidents.
The university declined to respond to whether the executive would support such an investigation.
If you would like to contact Alexander Martin, you can reach him securely using the private messaging app Signal on +44 (0)7970 376 704 or at firstname.lastname@example.org