Cyber Incident Victim: University of the West of Scotland

On or around July 3, 2023, the University of the West of Scotland (UWS) became the victim of a significant cyber crime, an incident that was formally reported to Police Scotland on that date. The attack impacted a substantial number of the university's digital systems, causing widespread disruption to its operations. The university's official website was taken offline, displaying an error message that apologized for the inconvenience, though some sections of the site were later restored. The cyber incident had a direct effect on staff and students, compromising staff laptops and affecting student submissions. Initial statements from the university confirmed it was facing a "cyber incident" and that it was working with law enforcement and national cybersecurity authorities to manage the situation. For a period following the attack, no criminal group publicly claimed responsibility for the breach, leaving the precise nature and full scope of the incident under investigation.

The situation escalated when the ransomware gang known as Rhysida claimed responsibility for the attack. This group, which according to cybersecurity website Sentinel One was first observed in May of the same year, operates by positioning itself as a "cybersecurity team" that purportedly does its victims a favor by targeting their systems and exposing flaws in their online security. Rhysida took the step of putting UWS's stolen data up for auction on its deep web domain, demanding a ransom of 20 bitcoin, equivalent to approximately £450,000, for the confidential information. The group threatened to sell the data to the highest bidder if their demands were not met. The data advertised for auction was reported to include highly sensitive personal information belonging to university staff, such as bank details and national insurance numbers, alongside internal university documents. While the BBC confirmed the listing on the gang's domain was real, the authenticity of the specific data samples provided could not be independently verified; however, analysis from cyber correspondents suggested it was unlikely to be a fake, as such criminal gangs operate on a basis of profit and reputation, and faking data would not serve their long-term extortion goals.

In response to these developments, the University of the West of Scotland issued statements acknowledging the severity of the breach. A university spokesperson confirmed that the institution had been the victim of a cyber crime which affected a number of its digital systems and that some staff data had been accessed by the attackers. The university emphasized that all appropriate steps were being taken to manage the situation and that some details remained sensitive due to the ongoing criminal investigation. UWS stated it was following a controlled process to work towards a resolution and was briefing colleagues and students regularly since the start of the incident. Staff whose data was compromised were being contacted directly and provided with information and support. The university also confirmed it was working closely with relevant authorities, including Police Scotland, the National Cyber Security Centre (NCSC), and the Scottish government, to address the attack and its aftermath.

The involvement of law enforcement and national agencies was a key aspect of the incident response. Police Scotland confirmed that an investigation was underway following the report of the cyber incident in Paisley and that inquiries were ongoing. The Scottish government also acknowledged awareness of the UWS "IT security incident" and stated that support was being provided to the university by national partners, including the Scottish government itself. The stance of the National Cyber Security Centre, as referenced in reporting, is that law enforcement does not encourage, endorse, nor condone the payment of ransom demands. This official position placed the university in a difficult situation, weighing the potential release of sensitive data against the guidance of cybersecurity authorities. Analysis from Brett Callow, a threat analyst for the cybersecurity company Emisoft, suggested that the Rhysida gang was likely hoping the university would pay the ransom to prevent the information from being released onto the dark web, where it could be used by other cybercriminals to commit identity fraud, even though the data itself likely did not have anywhere near the demanded value to a third-party buyer.

The incident at the University of the West of Scotland is part of a broader trend of ransomware attacks targeting educational institutions. The university, which has campuses in Paisley, Ayr, Dumfries, Blantyre, and London, experienced significant operational disruption. This attack occurred shortly after a similar cyber-attack targeted the University of Manchester, and a separate mass hack affected a number of organisations including the BBC, highlighting the persistent and widespread threat posed by cyber criminal groups. The Rhysida group itself has launched attacks on multiple organisations across the world, utilizing its signature method of data exfiltration and auctioning to exert pressure on its victims. The impact on UWS was multifaceted, affecting IT infrastructure, compromising personal data, and creating uncertainty for both staff and students as the university worked to restore systems and mitigate the damage caused by the breach. The ongoing criminal investigation meant that a complete public account of the incident's specifics, including the full extent of data exfiltrated and the initial attack vector, was not immediately available.