Following Dundee and Angus College’s recent cyber attack, Charlie looks at why their response is a good example of how to deal with a cyber incident and what we can learn from it.
I thought this week we might take a break from talking about the coronavirus (COVID-19), as every man, woman and consultant seems to be posting their thoughts, response actions and checklist on social media and on business continuity websites. So, if you need more COVID-19 guidance there is lots of it out there. In line with the announcement that my Managing and Preparing for Cyber Incidents course has been certified by GCHQ, I thought I would write about Dundee and Angus College’s cyber incident which took place recently, from the 31st January to 6th February. I wasn’t aware of the incident until one of our clients informed me and said that the Scottish Government and the Police were very involved in the response.
Whilst it was not a major incident and it only really made the local papers, I thought as their response was pretty good, I would share some details as an example of a good response. I really like this quote from Brian Honan in Computer Weekly ‘Thankfully, we now live in a world where it is accepted that data breaches happen, and organisations are more comfortable disclosing that they have been victim to an attack. However, with this welcome move away from victim blaming, organisations are now being judged more on how well they manage a breach.” So, if we know what best practice is, we can aspire to carry it out if our organisation has a cyber breach.
When looking at Dundee and Angus College’s response, as I have no insider information, I only have access to their response on Twitter, Facebook, their website and Local Paper reports. I think reading this information gives a good overview of their response. What I have not been able to get is the students’ reaction and their thoughts on whether the incident was well managed or not. According to a local newspaper, The Courier, the incident started at 3am on Friday 31st January and during the day all three campus’s IT systems became infected with ransomware. On Friday they sent students home and cancelled classes, on Saturday there were no communications, but on Sunday they posted on social media that the college would be closed on the Monday. Communications on Monday told students that on Tuesday classes would also be closed. However, students were asked to come into one of their three campuses on Tuesday and sign back in in order to access the college systems. On Tuesday they announced that the College would reopen on Thursday, which it dually did.
The following points include the communications I thought were good practice, which the College carried out throughout the incident:
1. If the incident affects your organisation and there isn’t the possibility of keeping silent, then you should quickly acknowledge publicly that you have had an incident and that once you have further information you will post an update. In the college’s incident, although it occurred on Friday there was no communication until Sunday – I suspect this was all about timing. As the incident occurred on Friday, they had the luxury of the weekend to decide how serious it was and whether they could resolve it before students and staff returned to work on the Monday.
Figure 1 Initial post on twitter signposting to Facebook for more details
2. In their first communication, which was on social media on Sunday 1st February, they admitted immediately that it was a cyber incident, not a computer glitch or as Travelex had on their website for two weeks ‘this site is temporary unavailable due to planned maintenance’.
Figure 2 Initial information on Facebook
3. If your main website is down due to ransomware, then you have lost your main means of communication, especially if you have a number of different messages to communicate. The College followed the well-trodden path of using social media to communicate with their stakeholders, until they were able to get their website up and running. Twitter was used to give short messages signposting those wanting more information to go to Facebook. Twitter is well used by the college and they have over 6,900 followers. They have built their audience on Twitter so that when an incident occurs their students and others would naturally turn to social media for information. On Facebook they had over 14,000 followers and so used it effectively to give out incident information. Facebook is useful in an incident, as people can post messages and the organisation have the ability to reply. It can be used as a good repository of questions and answers on the incident. You can see the questions and answers from the college, in response to queries from students on Facebook.
4. It was clear that the college put ‘the victims’ (the students) and staff at the centre of their response and throughout the incident thought about what might be worrying them and then in their communications reassured them. Communications stated that they believed no personal data had been lost in the attack and those students in receipt of ‘bursary entitlement or any other payments’ would not be affected. Even when they asked students to come in to sign on to their college computer accounts, they had the buildings open for extended hours (9am to 7pm), and they made sure that the canteen was open during that time. After all students returned on Thursday the College had to admit that some of their backups had be impacted by the ransomware, but they were very clear to say that this would be taken into account when grading their work.
Figure 3 Example of information to ensure people are given up to date information
5. Most of the activities usually carried out in the college were closed for three days, even the Gardyne Gym & Swim. The only activity which continued was the Arbroath Helping Hands Nursery. Closing the nursery, I presume, would have had a major impact on staff and others in the local area and perhaps even those who might have been responding to the incident, so this shows that the incident team had thought through their response and not just closed everything as a knee jerk response.
6. Throughout the incident they said when they would give the next update, usually the next afternoon and kept to their word in doing this.
7. The principal was not featured in the communications from the beginning, but on Wednesday he released a full statement on the event, he praised staff for their amazing response, talked about the college having Cyber Essentials Plus in place, proving that they had taken cyber security seriously and described that the cyber-attack was not targeted at them but can ‘happen to any organisation and the feedback we have had from experts is that we have been unfortunate’. Visibility of senior managers and their comments are an important part in any incident response and although the ‘message from the principal’ was delivered five days into the incident, it was a lot better that the Travelex CEO who took two weeks to come up with a statement on their cyber incident.
Figure 4 Message from the Principle
8. It was interesting to note the tone of the principal’s message. He described the organisation as a victim and didn’t apologise for the impact on students and staff. Perhaps this was the right call to take at this time, but if the college is found negligent in any way during the investigation then this position may be more difficult to hold.
9. After the incident it was reported in the local paper, The Courier, that a ransom had been demanded for the decrypting of their data and the principal is quoted saying ‘The idea of paying a ransom, or paying any money, is a non-starter for us. It’s just not going to happen’. This is perhaps not to panic students and staff, but it was only admitted after the event that a ransom had been demanded. I think the information about a ransom makes the attack seem more personal, so I can understand only releasing this information after the event. It also plays into the college’s narrative that they are a victim and it was due to a student or staff member clicking on a phishing email and their system perhaps being vulnerable to this type of attack.
You can find a timeline of Dundee and Angus College’s events and communications here.
On the whole I am impressed by quite a small local institution responding to a cyber-attack much better that some of the large, more resourced organisation’s such as British Airways, Marriot and Travelex. So those of you who have not yet had to respond to a cyber incident would benefit from coming on my two day Managing and Preparing for Cyber Incidents course, or at least take something from the lessons outlined in this bulletin.
I would also like to say thank you to Robyn McEwan who helped me research this incident.