Student Loan Company Fought Off 1 Million Cyberattacks in a Year

The financial services industry registered three times more security incidents than any other industry in 2018. According to data released under Freedom of Information legislation, UK government organization The Student Loans Company (SLC) experienced close to a million cyberattacks in the 2017 – 2018 fiscal year. The information was made public upon written request from the Parliament Street think tank.

While most attacks were categorized as malware (323), Denial-of-Service, and malicious emails or calls (235), they all failed, except for a cryptojacking attack. Manipulating a third-party plugin, hackers injected Monero mining software into the company”s network. This was attributed to third-party incidents.

Dealing with student grants and loans, SLC had access to a high volume of confidential personal and financial information. According to its annual report, the company has 8.1 million customers and a loan book value of £117.8 billion, and it processed about 1.8 million applications in the fiscal year.

The non-profit organization says it stores no customer data on its servers, so no critical information was compromised. The company further said they only “host publicly available data.”

During the 2017 – 2018 fiscal year, The Student Loans Company suffered 1 million attacks meant to compromise the network and access financial information. This figure is of particular concern since the organization only suffered 95 attacks in the previous year and just three the year before that.

“Firstly we’d stress that malicious online activity affects every organization and individual,” a company spokesperson said for IT Pro. “It is also necessary to put in context that 99.9 % of the “attempts” recorded in 17/18 present an extremely low level of threat. The apparent increase in 17/18 figures is largely due to changes in the way security incidents are recorded. It is also worth stressing that, while we remain permanently aware and vigilant, every one of these attempts was detected and prevented at an early stage, with no violation of systems or data security.”