SOCIETY EMAILS GET ‘NUKED’

Everyone who uses Lancaster’s IT systems will have been briefed many times on the much-publicised phishing attack this summer that led to applicants’ data being stolen – for example, see:
https://www.theregister.co.uk/2019/07/23/lancaster_university_data_breach/
For most local users, the changes to IT access since then have been a relatively minor inconvenience, though they’ve caused substantial increases in workload for staff who do still have access to relevant systems and data – basically we can’t all be as functional as we used to be, because we can’t stay secure that way. But for some student societies the problems are more significant – an anonymous correspondent submits the following (content redacted to remove all the swear words):
*
The uni decided, over the summer, that it’s too much of a data breach hazard for societies to have IT accounts. They decided this… because staff got phished. Clearly, staff getting phished and a data breach happening that way means society IT accounts are a problem. So what do they do? Do they make a sensible choice and enforce regular password changes for society accounts? Enforce more data protection training? Remind societies to be secure?
No, they just decide to nuke society accounts. Nuke ’em entirely. Do they communicate this effectively? No they don’t.
ISS were meant to get all this sorted before term started. Naturally, it wasn’t sorted in time, but for some reason they decided to not allow room bookings to be released to societies. LUSU front desk staff had to rescue societies by doing bookings for them. Any socs who wanted to have their meeting places on their freshers’ week advertising had only from the Monday of freshers’ week to go to LUSU and book rooms.
Otherwise many many societies would have been handing out flyers that said ‘WE’RE THINGY SOC, WE LIKE THE THING… FIND US… SOMEWHERE. WE GUESS.’
On top of this, the nuking of society accounts means that now, the only way to get any room bookings done is via the personal student accounts of any exec who’ve been verified as exec members. They now seemingly have to validate ALL student exec members EVERY YEAR… which will totally happen on time. And then de-validate them whenever execs change hands. Oh, that’ll be great, won’t it?
On top of that, there’s zero policy in place for non-student exec. At all. Not one bit of thought about us. We are a thing. I’m doing an important activity-coordinating role and now I can’t access room bookings or the society’s email inbox at all – not even room bookings viewing access, so I can’t go ‘Hey, President, please book exactly these rooms at exactly these times’, unless I physically use one of them for access. Similarly, I can’t send emails as the society.
Also, society web pages can be hosted on uni servers. Those are tied to the society account. Or were. We were told that ISS wouldn’t pull society accounts until they had a solution to this, and every time we ask anyone about it, they say ‘Oh, the unioncloud page?’ and we say ‘No, the society web page hosted on uni servers, this one’ and show them, and they say ‘Oh I dunno lol’.
*
This has happened, our correspondent suggests, because someone’s used ‘a sledgehammer to crack a walnut.’

subtext sympathises with our correspondent but also sympathises with ISS, who found themselves all over the press this summer and facing external investigations left, right and centre. We trust that an amicable solution can be found.

Comments are closed.