Data (In)Security at LUMS

By: Zoha Fareed Chishti

“It is important to understand that malicious users always look for easy prey, first, and use social engineering to set up traps. Even if you have spent millions on hardware, one weak link internally can expose all that you have protected,” says Tariq Sheikh, Senior Manager at Information Security (InfoSec) LUMS.   

On 9th September 2020, just a few days before the commencement of the fall semester, Ayman Fuad ‘24 received an email on her outlook account that was meant for another student. The email thread which contained another student’s private information was mistakenly forwarded to Fuad. She told The Post, “[The email] contained a password, as well as the student’s phone number and address. This is the second time something like this has happened.”  

Over the past few years, students at LUMS have witnessed various cases of data security breaches. Back in 2018, major files containing sensitive information (like phone numbers, addresses, CNIC and passport numbers) were leaked online. With an increased reliance on virtual correspondence in the past few weeks, students took to LUMS Discussion Forum (LDF) to share their concerns after receiving suspicious links in their outlook inboxes.  

Ramsha Fatima ‘22, who suffered a breach on her outlook account on 23rd September 2020–wherein an email with a malicious link was sent to a lot of people on her contact list including the Vice Chancellor, the Dean of MGSHSS, the Coordinator of MGSHSS, multiple instructors, her student loan officers and fellow students–talked about how jarring the experience was. She said, “I discovered the breach at 6 p.m, exactly when my class had started. I was constantly panicking, trying to act fast but also trying to keep up with my class. I was very afraid of the consequences.” She had to track down all the recipients, send out apologies and change her security details. She further added, “I started thinking of worst-case scenarios [like] my student loan being delayed.” 

Madiha Tariq ‘20 says, “There have been multiple security breaches that were never addressed. Files were leaked with sensitive information. A private email thread of a first-year student was forwarded to [a lot of people at] LUMS – and that too by IST!”

Tariq explained that she noticed how frequently data privacy is violated at LUMS when a discussion regarding data security broke out on the SSE girls WhatsApp group. The discussion prompted Tariq to send an email to the administration to bring their attention to the severity of the situation. 

In the email, Tariq wrote, “We are expected to trust the university with medical information for Zambeel medical forms and OSA petitions, with personal family matters for why a student might need campus accommodation and even with mental health issues while contacting campus counsellors.” She also highlighted how the entire student body felt the impact of these breaches in her email saying, “[These] mistakes don’t just affect one student; it makes every one of us afraid to share our information and many [out of fear of their private information being so carelessly leaked] won’t even reach out to the university even when they most need the help.” As of yet, Tariq has received no response from the administration to her email. 

Amna Khan* said (about the 2018 incident), “Everyone felt violated, disappointed in lums facilities for their failure to protect sensitive data despite paying so much. Safety was completely stripped as anyone could literally come to your door.”

While talking to The Post, Tariq Sheikh said, “Following the 2018 incident, Information Security (InfoSec) at LUMS was established. InfoSec communicates with the community to create awareness along with inviting industry experts to talk about the challenges [in cyber security].”  

Sheikh, while talking about the 2018 data breach, explained that a malware (in one of the IST computers) had allowed a hacker to access the Zambeel database, and thereby leak the information online. He explained that LUMS had thoroughly investigated the 2018 data breach and upgraded the server infrastructure and security protocol. 

With the university going online, the reliance on digital modes of communication is greater than ever before. There is a pressing need to ensure that the information students relay to the university remains safe. Sheikh explained that Infosec has planned a security model based on the current compulsion of virtual correspondence. He said, “During this year, we will be installing enterprise grade endpoint security software (antivirus/antimalware) onto all our computers, which are presently secured with Microsoft’s bundled software (Windows Defender).” 

“We are ready to hold simulation sessions which can teach students about cyber security.” Sheikh told the Post, “But the students don’t attend them. The last session we held only was attended by just 3 students.” He stressed on the importance of verifying data before engaging with it and expressed the importance of students being responsible. “It is a collaborative effort— we are ready to put in the efforts to improve security, but the onus of responsibility also falls on the student.”

Upon being asked for a solution, Sheikh replied, “The users need to be aware of the threats and how to avoid them. And institutions need to invest in endpoint security solutions that protect users’ computers and not just server infrastructure.” 

 

*name has been changed to respect privacy

Leave a Reply

Your email address will not be published.