Harry is an MPP candidate at the Blavatnik School of Government. Prior to starting at Oxford, she worked as a senior cyber security consultant in Governance, Risk, and Compliance (GRC). With five years’ experience in the field, she is keen to bridge the gaps in cyber and technology policy-making and implementation.
Last week, it was revealed that a student at Oxford used the public-facing Searching the University of Oxford function to obtain the name, college, department, and email address of every member of the University in a poor attempt to create the monetised Tinder-Facebook mashup, OxShag.
News pertaining to the incident has largely been focussed on the data security and privacy concerns associated with OxShag itself. What is more concerning, however, is Oxford’s policy that allowed the misuse of this data in the first place. This is not only a data security and privacy issue, it is also a cyber security issue.
As a student at Oxford, I am heartened by the implementation of a number of cyber security protocols, like the implantation of mandatory Multifactor Authentication (MFA) when accessing digital university services from personal devices, by the University. MFA is one of the most effective tools to protect against cyber-attacks. For instance, even if an actor is successful in compromising your credentials, MFA makes it very difficult for the actor to use these credentials successfully (there are, of course, exceptions, but those exceptions are outside the scope of this piece).
Given Oxford has clearly thought about its cyber security (to some extent), it begs the question: why does Oxford have a public-facing search function on its website that allows any member of the public with an internet connection to search for the contact details of any current member of the University? The most common response seems to be that this is a handy tool for connecting academics. No shade to the undergrads and masters’ students, but I hardly think we’re being inundated with requests for collaboration on papers and conferences, so much so that the only possible way for a third party to find us is via a dubious search function on Oxford’s official website.
My argument against this type of publicly available search function is fourfold. First, they are unnecessary. Second, they compromise data privacy and increase the attack surface of individuals at the University. Third, this data can be used for much more nefarious purposes than a shitty Tinder-Facebook imitation. Fourth, because this function is publicly available, attribution and enforcement is almost impossible.
To point one: in the digital age, there are numerous ways to find the contact details or email addresses for someone that do not require providing access to the identifying information of everyone in your institution via search on a public-facing website. For the collaboration this function is designed to facilitate, most academics’ details are available via their department website. Also… Google? The difference being, if someone’s details are available via their department website or their personal LinkedIn, etc., they have consented, or at the very least, been informed that their details have been made available. Not only is this search function unnecessary, but Oxford’s attempts to inform us of the purpose of its use and the ability to opt-out have been haphazard at best.
To point two: the search function can be exploited via automated tools to scalp the information of every member of the university who has not opted out. This is much easier to execute when all the information is located in a central repository, as opposed to dribs and drabs spread across the internet, which the student involved alluded to as some sort of justification for the use of this data. Oxford’s decision to maintain a central, open repository of all current members’ contact data makes it easy for an actor with sufficient motivation and capability to access the data, triangulate the information with other sources, and launch more effective attacks against them.
This leads to point three. Now in possession of thousands of University members’ contact information, you can create your weird Tinder-Facebook mashup. In the case of OxShag, it was a student looking to make connections and some cash. But that very same service could have been used to blackmail or embarrass individuals signed up to OxShag. Independent of OxShag, the search function provides a motivated attacker with access to enough information to launch reasonably sophisticated social engineering attacks, like phishing attacks, that may not be related to the university at all – student bank details, anyone? With the right motivation and resources, the way in which these details can be exploited are endless. We can see how this information was used by a bored student, but the consequences could be much higher if the same process was used by cybercriminals or nation-states. Given that universities and their members have long been the targets of such groups, the prospect of this occurring is well within the realm of possibility and Oxford must weigh these risks with the supposed benefits that maintaining the search function provides.
And now, to point four: enforcement. Oxford has reportedly responded that this was a breach of the IT Regulations, that such use was not the intent of the function, and that they are working to apprehend the student allegedly responsible. I’m guessing, though, that if the apparent student was capable of automating data scalping to this extent, they are also capable of covering their tracks (GL;HF, forensics). Oxford does not seem to have considered that because it’s a public-facing website, attribution, enforcement, and prosecution are tricky. It could be (and, in this case, likely is) a sexually frustrated student, but it could also be a citizen in a foreign jurisdiction. What are they going to do, expel old-mate in North Korea from a university they don’t attend? Extradite them? This is all to say that successful attribution and enforcement is a difficult, resource-intensive process, which lowers the consequences for more unscrupulous actors who could use this information for more sophisticated attacks and/or purposes.
One might rebut and say, “Well, I can export the details of everyone at the university via the Active Directory” (AD) in Outlook. And, yes. You could. But you would need to be a member of the university logged in through a university Single Sign-On (SSO). Yes, this same data can be exported from Outlook… But it can also be audited by IT security with relative ease. Non-repudiation (that it was your SSO and no one else’s) increases both the barrier to, and the consequences of, exporting and misusing bulk personal data, both of which serve as a deterrent.
Currently, the student allegedly responsible may be responsible for breaking GDPR, but is Oxford not accountable? This was only able to occur because Oxford made a decision that allowed members of the University’s contact details to be searched by anyone via public interface. Oxford needs to apply the same level of rigour and consideration that it applied to the implementation of MFA to the future of this service to prevent further misuse of personal data and downstream cyber-attacks. In the short term, Oxford should release University-wide communications regarding the incident alongside clear instructions for users who would like their details removed from the repository.
In the long term, Oxford needs to seriously reconsider the necessity of the search function. It must carefully weigh the benefits of what appears to be a largely redundant tool providing access to ample personal information with the risk of the function and the associated data being misused. If the University decides to keep it, the process for an individual consenting to their details being available through the function needs to be revisited both technically and legally, moved to an opt-in system separate from IT registration, and tested regularly to ensure conformance.
Managing cyber security risk in any organisation is about weighing the likelihoods and impact, including those downstream, of a cyber security event occurring; the balance between a control and its impact on functionality; the priority of managing these risks; and the allocation of resources to manage risks according to these oftentimes competing factors. Organisational cyber security is a complex task for any organisation, but especially for one as large, high profile, and attractive as Oxford. We don’t know if this search function has been used maliciously by more nefarious actors, but we do know that they are able to do so with relative ease. Comparatively, advances in technology have made such a feature largely redundant. Oxford ultimately needs to make the decision on the future of this feature, but from the outside, removing it is a quick and cheap intervention for a feature whose benefits are far outweighed by the risks.
