Munster Technological University data leak includes big quantity of staff and student details

More than 6GB of files from MTU, including financial information, uploaded to dark web by criminal hacker group

BlackCat, also known as ALPHV or Noberus, is believed to be based in Russia or another former Soviet Union country. It operates as a 'ransomware as a service' (RaaS), meaning it is hired by criminals to conduct cyberattacks on their behalf. Photograph: iStock
BlackCat, also known as ALPHV or Noberus, is believed to be based in Russia or another former Soviet Union country. It operates as a 'ransomware as a service' (RaaS), meaning it is hired by criminals to conduct cyberattacks on their behalf. Photograph: iStock

Data leaked from Munster Technological University (MTU) during last week’s cyberattack comprises vast amounts of staff and student information, including financial details.

More than 6GB of internal files were uploaded by the BlackCat hacker group last week after the university refused to pay a ransom. The information disclosed on the internet includes dozens of file folders relating to internal university matters such as payroll data, banks accounts and contracts of employment.

Some data around medical and annual leave for employees, internal audits and student assistance grants as well as academic material has also been released, security sources said. Security experts were continuing to comb through the data dump on Monday to determine the impact on the university, its students and staff.

Sources said there were no indications yet that staff or students were immediately at risk of financial loss or identity theft due to the data dump. However, they warned that the leaked data could be used for phishing attempts or combined with other publicly available data for the purposes of fraud.

READ MORE

Those connected to the university were advised on Monday to be vigilant for any phishing attempts or other suspicious activity.

Cyber attacks set to become ‘uninsurable’, says Zurich chiefOpens in new window ]

HSE cyberattack: More than 100,000 people whose personal data stolen to be contactedOpens in new window ]

The data remains accessible only on the dark web, which requires a special browser to gain access. However, the BlackCat group has been known to publish hacked data on the general internet also. In some cases it has personally messaged staff of hacked organisations informing them their data has been dumped online in an effort to exert pressure to pay ransoms.

Gardaí and the National Cyber Security Centre (NCSC) are investigating the matter. It is understood gardaí are also examining ways of taking proactive measures aimed at disrupting the operations of the gang. The Data Protection Commission has also been informed of the data leak.

Some of the hacked data dates back 15 years or more and relates to Cork Institute of Technology and the Institute of Technology, Tralee, which merged in 2021 to form MTU.

The data dump was the subject of a High Court order late on Friday night following an application from MTU. Its lawyers obtained an order preventing the people behind the attack, and anyone else who has knowledge of the order, from publishing, making available to the public or sharing any of the university’s confidential material.

BlackCat, which is also known as ALPHV or Noberus, is believed to be based in Russia or other former Soviet Union countries. It operates as a “ransomware as a service” (RaaS), meaning it is hired by criminals to conduct cyberattacks on their behalf, with any ransoms being divided up afterwards.

A third of Irish businesses have paid cybercrime ransom, study findsOpens in new window ]

Like the 2021 cyberattack on the Health Service Executive, the latest incident was two-pronged. Hackers locked MTU staff out of internal computer systems and threatened to publish confidential data if a ransom was not paid.

BlackCat has been behind hundreds of attacks since its activities were first detected in 2021 and is judged by the FBI to be one of the most effective RaaS outfits currently in operation. Its targets have included oil and energy companies in Germany and Colombia and it has also frequently targeted US healthcare organisations,

Richard Browne, director of the National Cyber Security Centre, said the attackers were “extremely prolific” and would likely just “walk away” now that the ransom had not been paid.

“They have spent their money and have got nothing back from it. They’re done. And the question for us now is how do we limit the damage of that data being out there in the world?” he told RTÉ Radio’s Morning Ireland.

Conor Gallagher

Conor Gallagher

Conor Gallagher is Crime and Security Correspondent of The Irish Times