Cyber Incident Victim: University of Manchester

On or around June 6, 2023, The University of Manchester discovered it was the victim of a cyberattack. The university declared a cyber incident upon discovering unauthorized activity on its network. An investigation was immediately launched, confirming that an unauthorized party had accessed some of the university's systems and had likely copied data. The University of Manchester is a major public research institution with over 10,000 staff and 45,000 students, making it one of the UK's largest education and research hubs. The university promptly reported the incident to relevant authorities, including the Information Commissioner's Office, the National Cyber Security Centre (NCSC), the National Crime Agency, and the Office for Students.

The initial response involved in-house experts and external support working to remediate the situation, determine the scope of the systems accessed, and work toward restoring systems. The university set up a dedicated FAQ page to provide guidance and updates to its community. While the university's public statements did not specify the exact nature of the attack, external sources reported it was a ransomware incident, though this could not be independently confirmed and the university declined to comment on it. The university explicitly stated the incident was unrelated to the widespread MOVEit Transfer data theft attacks occurring around the same time.

By June 9, 2023, the university had confirmed that data was likely stolen. The ongoing forensic investigations focused on identifying which specific data and which individuals were impacted. The university began communicating directly with those affected, offering advice and support. Initial guidance advised staff and students that password resets were not yet required but urged high vigilance against potential phishing attacks stemming from the breach. The university established a dedicated email address, [email protected], to handle queries related to the incident.

Approximately two weeks after the initial discovery, a new phase of the incident emerged. By June 23, 2023, staff and students began receiving threatening emails purportedly from the threat actors behind the attack. This tactic, known as triple extortion, involved the criminals directly contacting the victims whose data was compromised to pressure them into demanding the university pay a ransom. The emails contained a "last warning" that personal information would be leaked onto the dark web unless the hackers' demands were met. The university advised all staff and students to be wary of opening suspicious emails and to report any phishing attempts to its IT department.

The forensic investigation identified specific systems that were accessed by the unauthorized third party. One compromised system was used to help manage student accommodation. The categories of data potentially affected from this system included names and contact details (address, telephone numbers, email address) for both students and their next of kin, University ID numbers, basic programme information, date of birth, gender, nationality, domicile, ethnicity, UCAS number, fee status, and UCAS disability codes where relevant. For some students, the system also included a summary of key communications or other records relating to their university accommodation.

A second system was accessed that was used for the University’s alumni and supporter activities. A profile was created on this system for current University students, containing names and contact details, University ID numbers, gender, date of birth, and basic programme information. The university confirmed that no bank account or card payment details were stored on these compromised systems and therefore no such financial information was accessed. The university also contacted individuals on its relationship management database, Raiser’s Edge, which held records for alumni, supporters, and those who had attended events or supported the university, to inform them their data may have been involved.

The cyberattack caused significant operational disruption. As a containment measure, the university restricted systems and accounts in various ways. The GlobalProtect VPN service was switched off for a period, impacting remote work and access to certain resources for staff and students. This required many staff to work on campus more frequently to perform duties that could not be done remotely. The university provided guidance for staff facing challenges due to childcare, caring responsibilities, or health conditions related to this change. Several systems, including the student portal 'My Manchester,' were temporarily unavailable, necessitating the creation of alternative support pages to collate information and links. The accommodation portal was temporarily offline, disrupting the process of applying for and accepting accommodation offers, though it was later restored with extended deadlines for applicants.

The IT infrastructure underwent significant changes to enhance security. The university pushed new software installations and updates to computers connected to the campus network or VPN. Improvements were made to the email filtering system, including the introduction of a twice-daily digest email for quarantined messages and a URL defense service to scan links in emails from external sources. The stock of IT equipment was limited due to the need to forensically examine and rebuild parts of the IT estate, causing delays in issuing new equipment. Print and toner replacement services experienced issues, and staff were provided with alternative contact methods for support.

The university emphasized that core functions remained secure. They confirmed that payroll processes were unaffected and that making donations or payments to the university online remained safe as transactions were processed immediately via a secure third-party partner that did not store card or bank details. Door access controls operated on a separate network and were largely unaffected, though a small number of users might experience temporary disruptions. The library's electronic resources remained accessible without a VPN connection by using university login credentials.

Wellbeing support was offered to all staff and students concerned about the incident. The university encouraged affected individuals to sign up for a 12-month subscription with Experian for identity monitoring support to help identify and resolve potential identity theft. The university acknowledged the concern this incident caused for international students whose data might have been shared outside the UK and directed them to available support services. The incident highlighted the targeting of the education sector; according to Check Point data, the UK’s education/research sector was the top target for ransomware actors, with 3809 weekly attacks per organization in the six months preceding the incident.

The university continued its forensic investigation and review of the impact for months after the initial discovery. The dedicated cyber incident webpage was regularly updated into 2024 with new information on data accessed and service availability. The university worked closely with law enforcement and national cybersecurity agencies throughout the response, supporting the national effort to counter cybercrime. The restoration of services was gradual, with the GlobalProtect VPN service being made available to all staff and students again by May 10, 2024. The university maintained that there was no evidence of any onward compromise of its partners' systems but understood their concerns and advised them to make their own risk assessments regarding reconnecting to the university network.