Northumbria University cyberattack

Not long into the new academic year, the Northumbria University cyberattack shook the campus IT systems in early September 2020, forcing those at the top to close the campus and postpone scheduled exams.

It remains unclear whether any long-lasting damage was caused by the attack. In our experience as data breach lawyers, we have seen large-scale attacks such as this endanger or expose significant quantities of personal information.

Northumbria is not the first university to have experienced such an attack, a fact that highlights the particular vulnerability of higher education institutions to such malicious cybercrime. In university cyberattacks, employees and students can be adversely affected by the exposure of their personal data, for which they are often able to make a compensation claim. If it emerges that Northumbria University failed to protect personal data, we may be able to help anyone affected.

What happened?

The Northumbia University cyberattack was first reported in early September last year, and it is understood to bear all the hallmarks of a ransomware attack. Ransomware attacks are often used by cybercriminals to take control of a computer system or network remotely. They can then demand, in exchange for restoring control to the affected organisation, a ransom fee to be paid.

These attacks are often carried out for the purposes of harvesting vast swathes of private data for criminal misuse unless a ransom is paid.

The deputy vice chancellor stated that “significant operational disruption” had been caused by the cyberattack, and the campus was made off-limits as a temporary measure while the university struggled to rectify the problem. It may be that the system was under the control of hackers demanding a ransom over this time.

The potential repercussions of the Northumbria University cyberattack

Attacks like these have provoked huge data security breaches at universities in the UK. We are representing victims for the Blackbaud attack in which Blackbaud, a software supplier to many universities internationally, was held to ransom by cybercriminals. Among the affected UK universities were University of Birmingham, University of Leeds, and University College Oxford, to name but a few.

If the Northumbria University cyberattack was found to be the result of poor data protection and cybersecurity measures, the university could also face compensation claims for the damaging consequences caused. The potential effects on victims could include the sale of their private data, its use for identity theft, or its use for scams and fraud.

The stakes of university cyberattacks can also be made higher by the incredibly sensitive information held by these institutions. For instance, universities may possess financial data, as well as personal, family and medical information. This can be in addition to information stored for diversity monitoring, including details relating to the religion, ethnicity, gender, and sexual orientation of students and employees.

Taking action after a cyberattack

If you suspect that your data may have been exposed in an incident such as the Northumbria University cyberattack, you may be able to claim compensation from the organisation that failed to protect your data.

No such liability has been proven in the case of Northumbria University, but the breach was reported to the ICO, so there may be further developments that have yet to emerge. In any case, Northumbria University has been added to the growing list of universities affected by cyberattacks, and this raises questions about what further measures are needed to be taken by universities to ensure for proper data protection.