On 24th June 2021, St. Edwards College became aware of malicious emails being sent out supposedly on its behalf. In the said emails (or other communications), the recipients were urged to transfer funds/tuition fees to the College on an urgent basis in order to benefit from a discount. These emails were NOT sent by the College and the Polish bank account details included in the said emails related to unknown third parties.
Without waiting to check if we were legally obliged to do so, on the same day we became aware of this incident, we immediately:
- Called all the affected recipients we knew about to inform them that these emails were not coming from us (and to take necessary precautions);
- Changed the password of the email account being used to send out the malicious emails in question;
- Strengthened the rules regarding access rights in connection with all the College’s email accounts;
- Filed a Police report and are presently collaborating closely with the Malta Cybercrime Unit to bring the criminals in question to justice;
- Initiated a full internal investigation to assess how this happened and what the consequences are;
- Engaged external IT specialists to provide us with a technical incident report;
- Engaged external legal counsel to help us with our GDPR obligations;
- Filed a preliminary data breach notification with the Information and Data Protection Commissioner;
- Issued a public notice informing the general public what had happened and warning everyone reading it to be vigilant and not interact with the senders of the malicious emails in question.
Over the past few days, we have worked tirelessly to obtain more information and conclude our internal investigation. We have now also received an incident report from our engaged IT experts.
The facts, as known to us, are as follows:
- The work email account of our admissions officer was targeted and was unlawfully accessed and misused by an individual or group of individuals seeking to defraud the College and/or unsuspecting recipients of malicious emails;
- In doing so, the said individual(s) has/have committed several criminal offences including gaining unauthorised access to the said College email account as well as impersonating our staff with the goal of stealing funds not due to them;
- Our admissions officer is an individual of impeccable character and the IT investigation of the College-owned device she uses to access her emails as well as our own internal investigation clearly shows that the device itself (which was purchased only six (6) months prior to the incident in question) was not compromised in any manner whatsoever. There are no viruses, no trojans and no malware present.
- The investigation shows that the individual(s) in question did not gain access to the general files on our system. The attack was therefore contained and limited solely to the admissions officer’s email account.
- The external IT and internal investigations carried out so far have not revealed how the criminal(s) gained access to the email account in question.
- The criminal(s) was/were covering their tracks in such a way that it was difficult for us to notice what was happening until they started sending out emails using the said email account and until parents alerted us to this. The fraudulent emails sent by the criminal (and replies thereto) were being deleted in real time as they were being sent out and/or received.
- This incident took place despite all our cybersecurity practices and investments. We regularly spend thousands of Euros upgrading our systems and in fact, we are currently in the process of carrying out further upgrades that we will inform you about in due course.
Risks and Way Forward
The main risk we have identified is the fact that an unknown third-party/ies gained unlawful access to all incoming and outgoing emails sent and/or received by our admissions officer and that such access lasted for not more than three to four weeks. The admissions officer regularly received onboarding and other information regarding parents/guardians and students including, personal data.
Although we are not in a position to exclude misuse of such personal data, the goal of the cybercriminals seems to have been limited to fraudulently obtaining funds paid into the criminals’ Polish bank account. Since the criminals have been blocked out of our system, they are now trying to conduct the same fraudulent activity by using email accounts that are not in any way associated with us and/or under our control. Please be vigilant for any emails sent to you that closely resemble our own (for example email accounts ending with ‘.me’ [ Montenegro] rather than ‘.mt’ [Malta]) and kindly alert us to any such emails so that we may pass on this information to the Malta Police.
Our top priority remains the safety of our staff, students and their families and for this reason we immediately took the decision to be fully transparent from day one and keep you updated throughout. We will keep doing so.
On 8th July 2021 we updated the Information and Data Protection Commissioner with all developments (including submitting the full technical report that we received on 5th July 2021 from our IT specialists).
In the coming days we will continue monitoring the situation and continue taking all measures to further strengthen our security measures.
Although we contend that we did everything we could to prevent such an attack from taking place and although there was no human error on our part or on the part of our staff, we will cooperate closely with the authorities to ensure that the perpetrators of this crime are identified and brought to justice.
On my part I will say that any attack on our IT systems and/or any conduct that risks affecting the rights and freedoms of our staff, students and their families will not be tolerated. We are keeping all our options open, including commencing full blown civil proceedings against anyone involved in this crime.
If anyone has any information that may help us, please do reach out to us and/or the Malta Police.
Should you wish to speak to us about this matter, please feel free to contact myself, Mr. N. Mac an Bhaird, at 00 356 2788 1199.
Earlier the College had issued this communication:
This will not apply to everyone but I am sending this so that you are all aware.
On 24th June 2021, St. Edwards College became aware of malicious emails being sent out supposedly on its behalf. In the said emails (or other communications), the recipient is urged to transfer funds/tuition fees to the College on an urgent basis in order to benefit from a discount. The IBAN number included in the email appears to relate to a foreign bank account over which the College has no control whatsoever. There may be other such IBAN numbers. The details included in the emails are as follows:
Beneficiary: St. Edward’s College
Bank Name and Address: Santander Bank, 34-45 Warszawa, Poland
Account No: 84109028350000000147650178
IBAN: PL84 1090 2835 0000 0001 4765 0178
The emails also seem to contain the following text in the subject line: “SCHOLARSHIP/DISCOUNT”.
Please note that St. Edwards College did not send out any such emails or communications and that, despite the various security measures it has in place, this may be the result of a cyberattack on the College’s IT systems and a fraudulent attempt to steal its identity.
We immediately filed a police report and are working closely with the Maltese Cyber Crime Unit and other independent specialists in this regard.
The email address is used may be identical to the College’s official address or may contain slight differences.
IN ANY CASE, PLEASE DO NOT MAKE ANY PAYMENTS TO THE BANK ACCOUNT IDENTIFIED ABOVE OR REPLY TO THE SAID EMAILS/COMMUNICATIONS CONTAINING THE MESSAGE AND/OR SUBJECT LINE IDENTIFIED ABOVE AND KINDLY URGENTLY NOTIFY THE COLLEGE IF YOU HAVE RECEIVED ANY SUCH EMAIL OR OTHER SIMILAR COMMUNICATION.
St. Edwards College is thoroughly investigating the matter. As a precaution, we have also changed all our passwords and have contacted top specialists in IT security to work with us. We have taken all other precautions as directed by the Malta Police and will monitor the situation very closely.
Parts are moving fast but we will keep you updated.
Thank you for your understanding, please contact us if needed.
N. Mac an Bhaird.