‘All hell was breaking loose’: How hackers forced a mega college to close

Exclusive

FE Week tells the inside story of the cyber attack that shut down one of Birmingham’s major colleges, and finds out what others can do to protect themselves from similar threats.

At around 3am last Saturday, an alert rang out around South and City College Birmingham’s key staff and managers that the server had crashed.

The news reached principal Mike Hopkins later that morning, while he was training to cycle this year’s Tour de France for the charity Cure Leukaemia.

“We went in to find out what’s going on, to see all hell was breaking loose,” he told FE Week. He called it a “very high-level, automated” attack, committed through an unknown “backdoor” into their system. The college believes it had something to do with administrator’s rights.

The hack was what is known as a ransomware attack – where criminals restrict access to computer services until the victim pays up – as it “effectively encrypted all our systems and files, everything”.

cyber attack
Mike Hopkins

This meant staff could not access services such as human resources and finance, so: “We’ve had to adopt alternative arrangements of systems to raise orders, pay bills, etc.”

However, it has not affected the college’s banking, and payroll has been adapted. No ransom has been demanded yet, but Hopkins has been told the perpetrators usually demand £2 million in the cryptocurrency Bitcoin.

One of the first things they had to do was secure their computers from being infected, as “turning one on would have caused real difficulty”.

SCCB is one of the biggest colleges in England, with eight campuses and centres across Birmingham, so it was a “weekend’s job,” Mike said, of staff racing around unplugging every machine.

Apart from that, there was “nothing at all we could do but shut down the college”.

Without access to emails, social media was relied on to get the word out for its 13,000 students to not come to lessons on Monday morning and to stay at home for a week.

Online provision has been able to continue as the college can access Microsoft programmes such as Office and Teams, and now their emails.

This week, the college has called in IT security specialists IP Performance and education technology experts Jisc to establish what has happened.

Action Fraud, the National Cyber Security Centre, the Information Commissioner’s Office and funding bodies have also been contacted.

The college is still not entirely sure how the hackers got in, and whether any information has been stolen. “The key to begin with,” Mike said, “is making sure we get to the bottom of exactly what they’ve done where they have got into, and that you don’t leave a backdoor in”.

‘It’s an absolute pain in the backside with Covid’

From Thursday, a number of students came back on to campus, including those on practical programmes, those who cannot access IT due to a language barrier and some vulnerable learners.

A full return to face-to-face provision may not happen for many weeks, Hopkins warned. The college is continuing to give students laptops and internet dongles to rent but will be increasing the numbers of students back each week.

Hopkins praised neighbouring Birmingham Metropolitan College (BMet) for allowing SCCB to use its facilities for accountancy exams scheduled for this week.

“If anybody thinks that colleges can’t and don’t work collaboratively, here is one of the best examples you can possibly get that we do.”

Hopkins is not sure when his college will return to “normal,” as having asked this question on Tuesday, he was told “how long is a piece of string?”

Firstly, the college has to establish what has happened, and each of their “tens of thousands” of machines has to be checked for infection – this first stage is expected to take until Easter.

“It’s an absolute pain in the backside with Covid,” Hopkins said, and their onsite coronavirus testing centre had to be put on hold and students were instead sent testing kits to use at home.

However, as an experienced college leader, Hopkins refuses to be intimidated by the attack: “I have this fundamental view there’s no such thing as insurmountable problems.”

One downside is “I’m not sure there is anything to be learned from it,” Mike said, as after having analysed attacks at other institutions “we thought we’d done everything that we could”.

“But you can’t stop everything because the very nature of the college is that we’ve got, like most colleges, an array where our staff and students can access their user areas remotely.” He did, though, believe this attack was “different”, owing to the possible use of administrator’s rights.

“Covid, in some sense, has helped us because there has already been that massive shock to the system, so people are used to dealing with difference and are certainly used to working at home.”

Colleges ‘sometimes don’t have a clue about their IT systems’

While Hopkins and his team were able to act quickly on their breach, other colleges have in the past been caught quite unprepared for a possible cyber attack.

Eighty per cent of further/higher education institutions identified a cyber security breach or attack in 2019, according to figures published by the Department for Digital, Culture, Media and Sport.

Stefan Drew, a marketing consultant to colleges, with experience working on related IT systems, cites one college he worked with where the staff did not know where their server was: not IT, not marketing and not the web developer.

“I actually found it, in the end, in a basement of the college on a table. It was above the line where it had flooded a month or two before.

“That shows you how, really, people don’t have a clue what’s happening in their IT systems sometimes.”

He puts this under-preparedness down to a lack of knowledge and accountability for colleges’ computer systems.

For instance, there is a “naivety” among colleges that think they would be better off designing a website in-house, rather than commissioning a dedicated company.

cyber attack
Stefan Drew

So, “when somebody in the college designs this bit of software, with no experience whatsoever, it’s designed with all the individual’s idiosyncrasies. If they leave, someone looks at it and says: “I haven’t got a clue what they did with this, let’s start again”.’

Meanwhile, a website designed by professional developers will be regularly tested, including by so-called ethnical hackers – who attempt to break into cyber systems to help inform the owner and others.

The plug-ins on a website, of which enquiry forms are examples, are also tested; but Drew warns that if these are not regularly updated after being installed, they can be used as a backdoor into a website.

“If you’ve got a backdoor into the website, the next question I ask is, what does that website connect to, and can that be a backdoor into other systems?”

Gathering data from the management information systems (MIS) is one risk he poses.

A good example he found was where a college’s website could read the MIS system, but as “read-only”, so information cannot be sent out of the system.

Outdated software can also be a problem once a system has been hacked: another college Drew worked with was using a little-used content management system for its website, for which he could only find seven developers that could help if things went wrong. This means that the college “is over a barrel” paying for help if the website breaks. 

Plus, the system could be easier to hack into as it would be tested less frequently. Furthermore, if servers are not backed up “regularly”, he says, the data could become corrupted, or recent data could be lost if a back-up from before it was inputted needs to be used.

Drew recommends colleges have a process for checking their IT systems and for ensuring that process works as well.

Penetration testing, where companies are hired to try and hack into systems on a regular basis, is also recommended as although it is “not that cheap, it’s cheaper than having some hacker get in and hold the college to ransom”.

Ten tips to avoid cyber attacks

To help colleges avoid falling victim to hackers, FE Week asked Midlands-based IT experts Infuse Technology for their top tips on preventing cyber attacks…

1. Define a starter process

Ensure that the appropriate and necessary permissions are granted for new employees and foster a culture of information security awareness.

2. Define a leaver process

This should include removal of all access rights in a timely manner for departing employees, including cloud access.

3. Patch your servers and PCs

‘Patching’ repairs a vulnerability or a flaw that is identified after the release of an application or software – they are intended to fix bugs or flaws that create security vulnerabilities.

4. Two-factor authorisation (2FA)

Two-factor or multi-factor authentication requires users to provide a secondary form of verification in addition to a primary form, such as a fingerprint or one-time passcode, before accessing accounts.

5. Implement an effective disaster recovery strategy

Failure to prepare for the worst can lead to irreversible damage.

6. Utilise device management to safeguard sensitive data

Limiting access to devices that hold sensitive data can reduce the risk of a cyber attack. As part of this, appropriate staff training and preventative measures should be put in place.

7. Review data storage

Whether your data is stored manually on premises, or stored digitally in the cloud, ensure employees are storing and sharing data in a secure, confidential way.

8. Remove generic accounts

Eradicate generic accounts whereby the password does not change, or multiple users have access.

9. Minimise access privileges to data

Review who holds login privileges, ensuring access is only granted to those who require it as a necessity.

10. Defend your email

Ninety-five per cent of threats infiltrate systems via email – one of the best defences in minimising such threats is by educating staff, ensuring they select strong passwords and know how to spot the signs of a phishing attack

Your thoughts

Leave a Reply to Phil Hatton Cancel reply

Your email address will not be published. Required fields are marked *

3 Comments

  1. Mmmmn – So they went round to turn off all the computers on site to prevent them being infected. Then are checking the ‘tens of thousands of machines’ they have, which will take until April.

    That’s great, presumably that also includes all the devices connecting to the servers from offsite, both College owned devices and the personal devices that staff use to work through COVID restrictions.

    Also, I hope they informed the ICO about being locked out of their data…

  2. Phil Hatton

    If it can happen at this well run and resourced college it can happen anywhere. Great to see Birmingham Met helping out and hope that the students don’t suffer too much disruption to their studies. All colleges need to run simulations of what they would do if this were to happen and governors need to ask how well protected their colleges are, especially with multisites. Hope that this is a one off and not the start of anything more co-ordinated. And thanks FE Week for the 10 pointer tips