Phishing Attacks

Barry Salmon made this Freedom of Information request to University of Wolverhampton

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

Response to this request is long overdue. By law, under all circumstances, University of Wolverhampton should have responded by now (details). You can complain by requesting an internal review.

Dear University of Wolverhampton,

1. What is your policy for using personally owned devices accessing IT applications?
• We allow access to both student and staff with personal and corporate devices
• We allow access to staff with personal and corporate devices
• We only allow access to corporate devices

2. Do you have visibility into devices that are used to access University applications?
• Yes
• No

3. Do you use multi-factor authentication (such as a hardware token, software code generated by a mobile phone app, or an SMS code) to access IT applications? Please select one answer only.

• Yes, we use multi-factor authentication for all access by students, faculty and staff onto the devices, apps, intranet or IT network
• Yes, we only use it for access to all sensitive data such as financial payments, grades and personally identifiable data (PII) data held on the network
• No, we just use single factor authentication today
• We just use single factor authentication today but we are planning on implementing multi-factor authentication in the next 12 months.
4. What security risks in personal devices are you most worried about when accessing University applications?
• Out of date software. Ex: Operating systems, browsers
• Physical security of devices. Ex: passcode lock
• Jailbroken / Rooted devices
• Others (Please specify)

5. What is your policy regarding patching and updating digital devices, operating systems and apps which access your corporate network? Please select one answer only.

• We implement all patches/upgrades within 48 hours from notification
• We implement all patches/upgrades within 7 days of notification
• We implement all patches/upgrades within 30 days of notification
• It is impossible for us to maintain all devices, operating systems and apps at the latest version and patches/upgrades typically take longer than 30 days to implement.
• We outsource the patching and upgrade of all our devices and systems to a third party

6. Has your university ever been the victim of a phishing attack (where an individual is duped into disclosing their login, password or credit card details via an email purporting to be from a trusted source)? Please select one answer

• Yes
• No
• Don’t know

6a. If yes, how often have you experienced a phishing attack in the last 12 months? Please select one answer.

• 0-5 times
• 6-10 times
• 11-50 times
• 51+ times
• Don’t know

6b. If yes, which is the most common target of the phishing campaigns? (please select one)

• Students
• Lecturers/faculty staff
• Employees
• Other (please specify)

6c. What type of data was being targeted? (select all that apply)
• Student personally identifiable information (PII) e.g. date of birth. National Insurance Nos.
• Employee PII
• Financial/payroll data
• Research/patents
• Other (please specify)

6d. Did you identify the attackers and, if so, are they? (select all that apply).
• Organised cyber-criminals
• Opportunistic hackers (non-organised)
• Political hacktivists
• Disgruntled employees/former employees
• Disgruntled students/former students
• State sponsored hackers
• Other (please specify)

Yours faithfully,

Barry Salmon

Zulyte, Ieva, University of Wolverhampton

Dear Barry Salmon,

R.E. Freedom of Information Request: FOI-154-2016

Thank you for your email below, received by the University of Wolverhampton on the 24 November 2016 in which you have requested the following information:

"1. What is your policy for using personally owned devices accessing IT applications?
• We allow access to both student and staff with personal and corporate devices
• We allow access to staff with personal and corporate devices
• We only allow access to corporate devices

2. Do you have visibility into devices that are used to access University applications?
• Yes
• No

3. Do you use multi-factor authentication (such as a hardware token, software code generated by a mobile phone app, or an SMS code) to access IT applications? Please select one answer only.

• Yes, we use multi-factor authentication for all access by students, faculty and staff onto the devices, apps, intranet or IT network
• Yes, we only use it for access to all sensitive data such as financial payments, grades and personally identifiable data (PII) data held on the network
• No, we just use single factor authentication today
• We just use single factor authentication today but we are planning on implementing multi-factor authentication in the next 12 months.
4. What security risks in personal devices are you most worried about when accessing University applications?
• Out of date software. Ex: Operating systems, browsers
• Physical security of devices. Ex: passcode lock
• Jailbroken / Rooted devices
• Others (Please specify)

5. What is your policy regarding patching and updating digital devices, operating systems and apps which access your corporate network? Please select one answer only.

• We implement all patches/upgrades within 48 hours from notification
• We implement all patches/upgrades within 7 days of notification
• We implement all patches/upgrades within 30 days of notification
• It is impossible for us to maintain all devices, operating systems and apps at the latest version and patches/upgrades typically take longer than 30 days to implement.
• We outsource the patching and upgrade of all our devices and systems to a third party

6. Has your university ever been the victim of a phishing attack (where an individual is duped into disclosing their login, password or credit card details via an email purporting to be from a trusted source)? Please select one answer

• Yes
• No
• Don’t know

6a. If yes, how often have you experienced a phishing attack in the last 12 months? Please select one answer.

• 0-5 times
• 6-10 times
• 11-50 times
• 51+ times
• Don’t know

6b. If yes, which is the most common target of the phishing campaigns? (please select one)

• Students
• Lecturers/faculty staff
• Employees
• Other (please specify)

6c. What type of data was being targeted? (select all that apply)
• Student personally identifiable information (PII) e.g. date of birth. National Insurance Nos.
• Employee PII
• Financial/payroll data
• Research/patents
• Other (please specify)

6d. Did you identify the attackers and, if so, are they? (select all that apply).
• Organised cyber-criminals
• Opportunistic hackers (non-organised)
• Political hacktivists
• Disgruntled employees/former employees
• Disgruntled students/former students
• State sponsored hackers
• Other (please specify)"

Your request will now be considered in accordance with the Freedom of Information Act 2000. You will receive a response within the statutory timescale of 20 working days as defined by the Act, subject to the information not being exempt or containing a reference to a third party. In some circumstances we may be unable to achieve this deadline. If this is likely you will be informed and given a revised timescale at the earliest opportunity.

In some cases there may be a fee payable for the retrieval, collation and provision of the information you request. If this is the case you will be informed and the 20 working day timescale will be suspended until we receive payment from you. If you choose not to make payment then your request will remain unanswered.

Some requests may also require either full or partial transference to another public authority in order to answer your query in the fullest possible way. Again, you will be informed if this is the case.

Should you have any further enquiries concerning this matter, please do not hesitate to contact this office.

Yours sincerely,

Ieva Zulyte
PA to Clare McCauley, Interim University Secretary; and
Dr Richard Medcalf, Associate Dean (Academic Enhancement)
Offices of the Vice-Chancellor (MA220)
University of Wolverhampton
Wulfruna Street
Wolverhampton
WV1 1LY
Tel: 01902 322392

-------------------------------------------
From: Barry Salmon[SMTP:[email address]]
Sent: 23 November 2016 17:04:14
To: FoI
Subject: Freedom of Information request - Phishing Attacks Auto forwarded by a Rule

Dear University of Wolverhampton,

1. What is your policy for using personally owned devices accessing IT applications?
• We allow access to both student and staff with personal and corporate devices
• We allow access to staff with personal and corporate devices
• We only allow access to corporate devices

2. Do you have visibility into devices that are used to access University applications?
• Yes
• No

3. Do you use multi-factor authentication (such as a hardware token, software code generated by a mobile phone app, or an SMS code) to access IT applications? Please select one answer only.

• Yes, we use multi-factor authentication for all access by students, faculty and staff onto the devices, apps, intranet or IT network
• Yes, we only use it for access to all sensitive data such as financial payments, grades and personally identifiable data (PII) data held on the network
• No, we just use single factor authentication today
• We just use single factor authentication today but we are planning on implementing multi-factor authentication in the next 12 months.
4. What security risks in personal devices are you most worried about when accessing University applications?
• Out of date software. Ex: Operating systems, browsers
• Physical security of devices. Ex: passcode lock
• Jailbroken / Rooted devices
• Others (Please specify)

5. What is your policy regarding patching and updating digital devices, operating systems and apps which access your corporate network? Please select one answer only.

• We implement all patches/upgrades within 48 hours from notification
• We implement all patches/upgrades within 7 days of notification
• We implement all patches/upgrades within 30 days of notification
• It is impossible for us to maintain all devices, operating systems and apps at the latest version and patches/upgrades typically take longer than 30 days to implement.
• We outsource the patching and upgrade of all our devices and systems to a third party

6. Has your university ever been the victim of a phishing attack (where an individual is duped into disclosing their login, password or credit card details via an email purporting to be from a trusted source)? Please select one answer

• Yes
• No
• Don’t know

6a. If yes, how often have you experienced a phishing attack in the last 12 months? Please select one answer.

• 0-5 times
• 6-10 times
• 11-50 times
• 51+ times
• Don’t know

6b. If yes, which is the most common target of the phishing campaigns? (please select one)

• Students
• Lecturers/faculty staff
• Employees
• Other (please specify)

6c. What type of data was being targeted? (select all that apply)
• Student personally identifiable information (PII) e.g. date of birth. National Insurance Nos.
• Employee PII
• Financial/payroll data
• Research/patents
• Other (please specify)

6d. Did you identify the attackers and, if so, are they? (select all that apply).
• Organised cyber-criminals
• Opportunistic hackers (non-organised)
• Political hacktivists
• Disgruntled employees/former employees
• Disgruntled students/former students
• State sponsored hackers
• Other (please specify)

Yours faithfully,

Barry Salmon

-------------------------------------------------------------------

Please use this email address for all replies to this request:
[FOI #373288 email]

Is [University of Wolverhampton request email] the wrong address for Freedom of Information requests to University of Wolverhampton? If so, please contact us using this form:
https://www.whatdotheyknow.com/change_re...

Disclaimer: This message and any reply that you make will be published on the internet. Our privacy and copyright policies:
https://www.whatdotheyknow.com/help/offi...

For more detailed guidance on safely disclosing information, read the latest advice from the ICO:
https://www.whatdotheyknow.com/help/ico-...

If you find this service useful as an FOI officer, please ask your web manager to link to us from your organisation's FOI page.

-------------------------------------------------------------------

Zulyte, Ieva, University of Wolverhampton

Dear Barry Salmon,

Your request is being considered in accordance with the Freedom of Information Act 2000. Under normal circumstances you would have received a response within the statutory timescale of 20 working days as defined by the Act, subject to the information not being exempt or containing a reference to a third party.

Unfortunately, due to unforeseen circumstances we were unable to achieve this deadline. Therefore, we regret to inform you that the University has been unable to progress your request within the original timescale and the deadline has been extended to 24 February 2017. Please note that we will work very hard to try and get a response to you much sooner than the above date and apologise for any inconvenience caused.

Should you have any queries, please do not hesitate to contact me.

Kind Regards
Ieva

Ieva Zulyte
Data Protection and Freedom of Information Officer
Offices of the Vice-Chancellor (MA220)
University of Wolverhampton
Wulfruna Street
Wolverhampton
WV1 1LY
Tel: 01902 322392

show quoted sections