Phishing Attacks

Barry Salmon made this Freedom of Information request to Edge Hill University

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was successful.

Dear Edge Hill University,

1. What is your policy for using personally owned devices accessing IT applications?
• We allow access to both student and staff with personal and corporate devices
• We allow access to staff with personal and corporate devices
• We only allow access to corporate devices

2. Do you have visibility into devices that are used to access University applications?
• Yes
• No

3. Do you use multi-factor authentication (such as a hardware token, software code generated by a mobile phone app, or an SMS code) to access IT applications? Please select one answer only.

• Yes, we use multi-factor authentication for all access by students, faculty and staff onto the devices, apps, intranet or IT network
• Yes, we only use it for access to all sensitive data such as financial payments, grades and personally identifiable data (PII) data held on the network
• No, we just use single factor authentication today
• We just use single factor authentication today but we are planning on implementing multi-factor authentication in the next 12 months.
4. What security risks in personal devices are you most worried about when accessing University applications?
• Out of date software. Ex: Operating systems, browsers
• Physical security of devices. Ex: passcode lock
• Jailbroken / Rooted devices
• Others (Please specify)

5. What is your policy regarding patching and updating digital devices, operating systems and apps which access your corporate network? Please select one answer only.

• We implement all patches/upgrades within 48 hours from notification
• We implement all patches/upgrades within 7 days of notification
• We implement all patches/upgrades within 30 days of notification
• It is impossible for us to maintain all devices, operating systems and apps at the latest version and patches/upgrades typically take longer than 30 days to implement.
• We outsource the patching and upgrade of all our devices and systems to a third party

6. Has your university ever been the victim of a phishing attack (where an individual is duped into disclosing their login, password or credit card details via an email purporting to be from a trusted source)? Please select one answer

• Yes
• No
• Don’t know

6a. If yes, how often have you experienced a phishing attack in the last 12 months? Please select one answer.

• 0-5 times
• 6-10 times
• 11-50 times
• 51+ times
• Don’t know

6b. If yes, which is the most common target of the phishing campaigns? (please select one)

• Students
• Lecturers/faculty staff
• Employees
• Other (please specify)

6c. What type of data was being targeted? (select all that apply)
• Student personally identifiable information (PII) e.g. date of birth. National Insurance Nos.
• Employee PII
• Financial/payroll data
• Research/patents
• Other (please specify)

6d. Did you identify the attackers and, if so, are they? (select all that apply).
• Organised cyber-criminals
• Opportunistic hackers (non-organised)
• Political hacktivists
• Disgruntled employees/former employees
• Disgruntled students/former students
• State sponsored hackers
• Other (please specify)

Yours faithfully,

Barry Salmon

foi, Edge Hill University

Dear Barry Salmon

Request for Information: FOI161714350

Thank you for your email requesting information relating to activities at Edge Hill University, this request has been handled under the Freedom of Information Act 2000. In response to your request I can confirm the following:

1. What is your policy for using personally owned devices accessing IT applications?
• We allow access to both student and staff with personal and corporate devices

2. Do you have visibility into devices that are used to access University applications?
• It is unclear what this request means.

3. Do you use multi-factor authentication (such as a hardware token, software code generated by a mobile phone app, or an SMS code) to access IT applications? Please select one answer only.
• We use single factor authentication today but we are planning on implementing multi-factor authentication in the next 12 months.

4. What security risks in personal devices are you most worried about when accessing University applications?
• Information not held.

5. What is your policy regarding patching and updating digital devices, operating systems and apps which access your corporate network? Please select one answer only.
• This information is not publicly available. Disclosure would be prejudicial to the University’s commercial interests and is, therefore, exempt under section 43 of the Freedom of Information Act. The factors for withholding the information are that to disclose the information would present serious risks of harming the University’s IT Operations which is neither in the University, staff or its student interests, nor is it in the interests of the wider public.

6. Has your university ever been the victim of a phishing attack (where an individual is duped into disclosing their login, password or credit card details via an email purporting to be from a trusted source)? Please select one answer
• Yes

6a. If yes, how often have you experienced a phishing attack in the last 12 months? Please select one answer.
• Information not held.

6b. If yes, which is the most common target of the phishing campaigns? (please select one)
• Information not held.

6c. What type of data was being targeted? (select all that apply)
• Information not held.

6d. Did you identify the attackers and, if so, are they? (select all that apply).
• Information not held.

We trust that this information fully answers your request and would like to apologise for the delay in responding. If you are dissatisfied with the handling of your request, you have the right to ask for an internal review, quoting the above reference number in all communications. Internal review requests should be submitted within two months of the date of receipt of the response to your original letter and should be addressed to: Dr C Hutchinson-Howorth, Director of Strategic Planning at the University.

If you are not content with the outcome of your review you may apply directly to the Information Commissioner requesting he review our decision. You must submit your complaint in writing to the Commissioner within six months of receiving the response to review letter. The Information Commissioner can be contacted at: The Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Kind Regards
Lisa Cobain

Freedom of Information Office
Edge Hill University
St Helens Road
Ormskirk L39 4QP

Email: [Edge Hill University request email]
DDI: 01695 650791

show quoted sections