One third of UK universities admit to falling victim to ransomware attacks, according to Freedom of Information (FOI) requests submitted in July this year.
A total of 105 universities responded to the FOI request, 35 of which admitted to being attacked (33%), 25 said they hadn’t been attacked (24%) and 43 refused to respond (45%).
Refusals generally stemmed from institutional concerns that admission would further encourage misdemeanours, stating that no inference as to whether they had or had not been attacked should be drawn from their refusal.
A number of universities – including the University of Oxford – felt that their esteemed reputation made them more vulnerable to attacks. The university commented, “…launching a successful attack would then be regarded in criminal circles as a noteworthy achievement, particularly in view of Oxford’s high public profile.”
Thirty-four of the 35 respondents who said they’d been attacked confirmed that they did not pay the ransom; while Liverpool John Moores, the remaining institution, refused to divulge whether they had paid the ransom or not.
Most of the breaches took place in 2015 (31%), 2016 (34%) and 2017 (23%), with the remaining attacks taking place in the last 10 years.
The majority of cases appear to be isolated incidents, though Sheffield Hallam University and City, University of London reported a staggering 42 attacks since 2013, and seven attacks since 2014, respectively.
Luke Budka, head of digital PR and SEO at TopLine Comms and TopLine Film, the agency that submitted the requests, said: “The recent revelation that hackers extorted US$1.14m from the University of California prompted us to submit requests to UK universities asking for details on ransomware attacks and ransom amounts paid. We were naturally most interested in Russell Group universities as their research focus suggests they’ve got the most valuable intellectual property.
“Of the 18 Russell Group universities that responded, all but three refused to answer the questions submitted. The University of Manchester admitted it had been attacked but said it didn’t record when; the University of Sheffield was attacked in 2015 and the University of Edinburgh stated it had not been attacked in the last 10 years.”
You might also like: Cybersecurity concerns rise as lockdown drives 1.4m more children to livestream