On 10th of this month, the University of Kashmir (KU) was caught napping in detecting an alleged data breach related to the University students and teachers. Much to the embarrassment of its IT officials and ‘experts’, the issue of data breach was reported to the University by a news portal based in Bangalore which reported that the personal data of 1 million+ students and employees of the University was put on sale by hackers on what’s called as Dark Web, a hidden part of the internet world that cannot be accessed by ordinary people. The first response that came from the University was next day, on August 11, when the issue became a national media spotlight in view of its gravity and the social media users, especially students of the Kashmir University, exploded in anger against the University for “risking their privacy.” “It’s shocking in IT operations that the University could not detect the data breach on its own and had to rely on media reports for the same,” wrote one social media user, a student of computer sciences at KU.
The database allegedly put on sale on the Dark Web for 250 USD claimed to include student information, registration number, phone number, email address, password, employee data, and much more.
“What if my photographs, phone number and email id are purchased by cyber criminals for use on matrimonial or porn sites? I can be subjected to blackmail and my reputation can be shattered for all times to come,” wrote another angry social media user, Shazia, also a student of the Kashmir University.
The University authorities after the outrage issued a statement which said that the University’s “data was unmodified” and that it was “analyzing any breach of data read (which is accessible in public domain) in depth.”
However, several students and teachers of computer engineering vehemently slammed the University’s response as half-baked and an attempt to hide the facts.
“It is completely wrong that this is only read-only data. It has entries related to university’s business, budget and financial transactions as can be seen from the available index. That means it is a non readable and non accessible data,” said a student, adding that “The University officials are trying to push this serious issue under the carpet by hurling all kinds of lies to the public. But they cannot fool computer scientists, engineers and cyber experts.”
In the meantime, officials of the University themselves acknowledged that the CERT-In, a national nodal agency of the MeitY (Ministry of Information Technology, Government of India), had sought a detailed report from the University authorities about the alleged data breach.
“CERT has sought a report from us and we are responding to them within the specified time frame,” said Dr Maroof Qadri, who looks after the University’s IT operations. He said that their preliminary assessment says that the data is “safe and unmodified.”
However, what has now put a fresh spotlight on the data security breach is the unconvincing story put forth by the University’s IT officials allegedly to downplay a serious issue that has disastrous implications on privacy of stakeholders whose data has been put on sale on the Dark Web.
“Why did the University fail to detect this breach on its own is a serious question that its IT officials should explain. In any conscious set-up, heads would have rolled over this serious issue. But KU is always an exception to this rule,” said a computer engineer, who wished to remain anonymous.
According to university sources, who are in know-how of IT operations, the University’s IT Directorate has never gone for a third party technical audit of its website and the applications and software hosted on it. This, they said, is a mandatory requirement for any institution having data in bulk, especially the personal data of students and employees.
“The IT Directorate must have spent nearly Rs 40 crore on its operations ever since its inception. Annually it spends around 4 crore on the same. But if our data is available for barely Rs 18000 on Dark Web, we can easily gauge that this money has gone down the drain,” said a source, adding that the University which recently bragged about its so-called digital transformation does not have an IT policy or the Data Protection Policy in place.
“In our University, all that IT people do is provide internet to teachers and students which also remains impacted for most of the time,” the sources said, alleging that soon after the current episode, some University administrators started trying to “save IT officials rather than data by cooking up tales before VC regarding data breach”.
Cyber experts in Kashmir said the University has not complied with CERT-In instructions on preventing data breaches and data leaks.
“KU’s IT officials are conveniently trying to shift blame on read-only data to save their skin. Basic thing is that data has been breached and security compromised. There have been clearly poor protocols and firewalls in place. It is immaterial for hackers to have modified or unmodified data. It is an attempt to fool people,” said one cyber security expert, adding that the University should have ordered a third-party security audit of its data systems to see the level of breach and the number of users impacted by it.
Such an audit, the expert said, will also help the university to plug its vulnerabilities for the future.
Interestingly, the University has its own Data Center which has been procured and set-up for lakhs of rupees (some say Rs 2 crore including installation), according to sources. However, the current data breach has also brought into question the “operational efficacy” of this Data Centre.
“The Vice Chancellor of the University should approach MeitY for conducting a third-party evaluation/audit of all its IT operations so that there are no insecurities and vulnerabilities in the data systems,” said the cyber expert. “The IT’s Data Center, Applications, Softwares and other domains should be thoroughly evaluated and audited in the larger interest of safeguarding university’s data security and information.”
If sources are to be believed, the University Administration has lodged FIR with Cyber Police Srinagar regarding the hacking incident, thus negating its own claim that the “data was safe.”
“What’s the need for FIR if everything is Okay? If this FIR has been filed, it means breach has taken place,” they said, adding that the University Administration should make public the report that it has sent to CERT-In and tell its students and employees about the level of breach.
To conclude, the University authorities cannot take this issue lightly and brush it aside as a small thing. The University has data in bulk which includes personal property details of employees which has been hosted on the same breached system. The present incident has indicated that the University’s data system is highly vulnerable and in need of stronger firewalls, protocols and cyber security. Otherwise, the larger fear is that all its employees are vulnerable to cyber attacks which can be as big as leading to theft of their properties. Students are also genuinely apprehensive of the safety of their privacy and reputation. The University’s Vice Chancellor, as leader of the institution, should rise to the occasion to take this matter seriously. As one University teacher said: “The University should first save data, then IT officials. The responsibility must be fixed.”
Hope right steps are taken in this direction with all seriousness before another such incident puts the University in bad light at the national level.