Oxford University Student Data Breach via Career Platform
Oxford University Student Data Breach 🚨
Oxford University students seeking work will be dismayed to learn that crooks have breached a second external platform provider for the university in as many months. The institution’s CareerConnect platform, provided by Group GTI, was the target of the intrusion, which exposed users’ full names and email addresses. Those who don’t use single sign-on (SSO) had their encrypted passwords leaked, too. CareerConnect forms part of Oxford University’s career services department, supporting students and alumni to find work opportunities.
Oxford Uni stated that the May 28 attack was enabled by a security vulnerability, which has since been fixed. However, GTI has not publicly disclosed the security issue itself and did not respond to requests for more information. The London-based tech company has not confirmed how many individuals were affected by the break-in, nor whether any data was stolen.
Oxford’s announcement listed alumni, research staff, and employer users as those who had their passwords forcibly reset following the attack. “There is no evidence that course information, uploaded files, appointment information, or financial information were involved in this incident,” the announcement went on to say. GTI has stated this breach appeared to be focused on gathering credentials which may lead to phishing attempts.
The university clarified that this attack was entirely separate from the one which hit Instructure’s Canvas last month. Oxford University was just one of the circa 8,800 educational institutions affected by the mega breach at Canvas, a separate platform that’s also relied upon by schools, colleges, and universities. Seemingly timed by ShinyHunters to coincide with exam season, students across multiple countries were left without access to learning materials, tests, and grades at a pivotal time of the year.
The scale of the attack was vast, affecting the usernames, email addresses, course names, enrollment information, and messages of up to 275 million students, teachers, and staff. The severity of the situation, coupled with the inopportune timing, led to Instructure “reaching an agreement” with ShinyHunters to prevent the criminal gang from leaking all the data online. “We received digital confirmation of data destruction (shred logs),” Instructure said, adding “We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.”
For more details, Read full article.