Meet Betty Boy the UMIS Hacker, and his Message, Plans, for Babcock University

The complete retelling of events, new information not made available to the public, and a warning for all on what is to come.

Section A – A Retelling of Events

Let us begin with a rough chronology of events.

Sometime in the middle of March this year, the Babcock University’s University Management Information System website, colloquially referred to as the ‘UMIS page’ or the ‘school portal’ was hacked by an unknown actor. This hacker – who we will come to refer to as ‘Betty Boy’ – defaced the portal’s webpage by smearing it with pornographic content. It caused an expected amount of uproar from the student body and earned light coverage by smaller Nigerian news outlets as well as plenty of buzz on Twitter and other social media. Babcock moved in swiftly to repair the damage, and all was well.

Moving forward, the chronology of events becomes somewhat less exact, as we can only rely on the testimony of Betty Boy himself to chart events along a time scale. According to the screenshots that made the rounds on the 10^th of this month May, Betty Boy claims that after the first hack where he defaced the site with pornography, he carried out a second hack about two weeks later. It was in this hack that he claims he gained ‘total control of all the databases’. He informed Babcock’s back-end engineers of this breach by ‘putting an MOTD on their SSH login’ – in other words, a note on the login page used by Babcock’s engineers – to inform them that they had been breached and all their data had been stolen. According to him, Babcock didn’t respond in any manner.

He then carried out a third breach on May 6^th, checking to see if anything had been changed as a response to his second breach. I will go into detail on what he discovered later, but judging by the fact I have mentioned he carried out a third breach, you can extrapolate the answer for yourself. In the morning on the 10^th of May, Babcock sent out a letter addressing the hack, mentioning that they were aware of things and they made a series of claims that we will address soon, but they assured the student body that everything was under control. On the evening of that same day, Betty Boy initiated the fourth hack, placing his now infamous message on the front of the UMIS page, beginning with the truly chilling words, ‘Hello Babcock students, your school fails you once again.’

That brings us to the present.

There are many directions I can take this after-action relay of events, but let us begin with what Betty Boy made available for us to see. At the end of the message he posted in the fourth hack on the tenth, he shares a link to a popular cloud-based file hosting service known as ‘Mega.nz’. Visiting that link yields damning information in the form of a pdf and five picture files. The pdf is one hundred and fifty pages long. Titled ‘lecturerpswd.pdf’, the file contains the login credentials of what we can assume is every single lecturer in Babcock University. At seven entries per page and one hundred and fifty pages, the file contains over a thousand individual sets of usernames and passwords. Absolutely damning.

It only gets worse, however, when we view the five picture files also sent alongside the pdf. All five are screenshots of SQL (a popular database management software) databases, and all contain immensely concerning information. Personal details in the form of names, addresses, phone numbers and emails of both students and parents are available in plain text. In addition to that, eTranzact identification numbers, debit card numbers, transaction id numbers, dates and amounts are all available for viewing as well. The largest transaction available for viewing is slightly above seven hundred million naira (about $1.6 million). Those with an eye for detail will find it gravitating to the left sidebar of the SQL interface, that displays icons and names of close to thirty other databases that we can see.

In short, we can make an educated guess that if not everything, Betty Boy has a whole lot of sensitive information in his hands. It goes without saying that this is incredibly worrisome.

For most people, the story ends here. They’ve seen all that has been made available and the conclusions one can draw is that Babcock has quite a lot on their plate to deal with. However, there is a bit more to it that I have been made privy too. For you see, Betty Boy left an email address at the end of his message in the fourth hack (and it is from this email that I obtain the name of ‘Betty Boy’) and I made the decision to contact him, acting as a journalistic asset. He responded, and a series of correspondence began.

Section B – Correspondence with Betty Boy

I will now relay a summarized version of the conversation I had with Betty Boy, the UMIS hacker.

In the first message I sent to him, I extended an opportunity to comment on the matter. He is not one for many words, and did not answer many of the questions I posed him. Considering he is – by his own words – a security engineer in his own right, it is not surprising that he is reluctant to volunteer information. I set out to establish a motive. Why do this? Why the hacks? Why the chaos? He was very succinct; he has done these things because Babcock does not care. He said similar in his message sent in the fourth hack; his interpretation of Babcock’s actions is that they do not care about the security of the information of its many wards. We will analyze this claim in detail further on. In his first reply, he also said that for the time being, he did not plan to disseminate any sensitive student data, which I informed him was somewhat comforting.

The second round of correspondence began, with another email from me and a reply from him. I encourage him to speak more, and ask whether he has any messages for the student body, considering the uproar that resulted from the fourth hack. I also asked what exactly he planned to do with the information. His reply was succinct again, a trend that continues in all future discussion. He talks about wanting to speak with the registrar or ‘someone in charge’, and comments on Babcock’s letter sent on the 10^th, calling Babcock out for lying about the situation. He comments that Babcock is ‘testing him’, and that it very much seems as if they actually want him to release the information.

As regards his message to the student body, I quote;

for the student body i can only say pray, if babcock continues to act like this i might be forced to release everything

your data is not safe. not in the slightest

The third round of correspondence is marked by something very concerning. He once again sidesteps my various questions, choosing instead to send me a file and a note. This file, 22.5 megabytes in size and titled ‘student_comprehensive2.csv’, is a stripped down copy of what is likely the full student database. Opening the file in Microsoft Excel revels a document over sixty seven thousand rows long, containing what I am guessing are the records for every student to pass through the school since Babcock switched over to digital record-keeping. The fields in the file are somewhat expected; names, program, matriculation number, town and country of origin, guardians’ names and emails for both students and their guardians. There are quite a lot of other fields containing numbers and other alphanumeric strings, but it is hard to tell what information they relay or purpose they serve. The message, however, is clear; Betty Boy has a lot of sensitive information in his hands. In his email, he states that he has changed his mind, he plans to disseminate the information in this file, and while he states he has removed a fair bit of sensitive information, he asked if there are any more fields I believe should be removed.

The fourth round of correspondence begins with me asking how he plans to disseminate the information in the file, and if he could consider removing the emails in the document due to the privacy concern that would be over a hundred thousand emails being spread across the internet. His response is brief; considering he has access to the emails of parents, students and alumni of the school, he plans to send bulk emails en masse to each of these parties, containing the sensitive information, to ‘see how they react’, as he put it. He also mentions trying to reach out the registrar and ‘every other person of interest’ publicly listed on the Babcock website, to no response.

The fifth round of correspondence begins with the ninth email in the chain, from me, once again asking questions and trying to glean information from him. It goes unanswered for longer than usual, until earlier today, on the 12^th of May, he sends a message from a new email, mentioning that his old email has been ‘suspended’ and that he will release all information that he has on Sunday, the 14^th of May, likely according to the plans he lay out in the fourth round of correspondence. He closes with wishing me good luck, and for now, the correspondence ends here.

Without mincing words, it is a whole lot to take in, but there is a bit more that we need to look at, particularly as regards Babcock’s first letter sent on the 10^th and Betty Boy’s response to it on that same day. Putting it lightly, there is a considerable amount of disconnect between what is said by both parties. This is to be expected, but the nature of it – particularly on the side of Babcock – is very concerning.

Section C – An Analysis of Claims

Babcock’s letter is divided into nine paragraphs, which we will take one by one, analyzing the words used, their implications, and whether they are consistent with reality and the known facts.

The first paragraph begins with informing the public of the hack, using quite a lot of very long, heavy words to really drive home the point that Betty Boy has done terrible things to Babcock and the University. However, I must quote this line in particular;

The criminals had gained unauthorised, illegitimate and illicit access to some of the University's clients' inconsequential records from the front end server of the University…

The emphasis on ‘inconsequential’ is added by me. What, exactly, is inconsequential here? Student’s home addresses? Their phone numbers? Theirs and their parent’s emails? The transaction details of how they paid for their tuition fees and other payments they may have made? Which of these is inconsequential? This a terrible note to begin the message with, as it is simply not true. The compromised data is of an immensely sensitive nature. An institution should be immensely concerned if such a breach happens, and it has a responsibility to communicate the scale of the damage to its affected wards.

But Babcock clearly disagrees, as they double-down on this point in the second and third paragraphs;

We wish to state that the perpetrators' access to the said record is of no significance as it has no meaningful impact on any aspect of the University's and management.

We confidently and wholeheartedly reassure our esteemed parents, students and our other clients and stakeholders that none of the University's sensitive information has been broken into or is in unapproved or improper places.

While the second paragraph is technically true; Babcock can still function as though all were well due to the fact it still possesses its databases, that doesn’t change the sheer gravity of the fact that a malicious party does as well. And the third paragraph, as we can judge based on what we now know, is an outright lie. Sensitive information was broken in to, and it absolutely is in ‘unapproved’ or ‘improper’ places. Betty Boy proves this with the screenshots of SQL that he shares, and the spreadsheet sent personally to me.

In the fourth paragraph they outline the portal being down (which was true then and is still true as of now) as well as stating that their ‘team of ICT experts is working to further reinforce its security to avoid a reoccurrence’. We will analyze this latter claim in detail further on. They also state that they are working with relevant security agencies to identify the source of the attack, something I am not able to verify.

The fifth paragraph outlines that Babcock University ‘remains vigilant’ in the face of the growing concern of cyber attacks globally. I will let you be the judge of that at the end of this section.

The sixth paragraph is almost humorous in how quickly it is proven to be false;

…the inbuilt layers of consolidated security features on them have made our information platforms impenetrable to the perpetrators of these senseless and ill-motivated cyber-attacks.

This is disproven barely twelve hours later by Betty Boy’s fourth hack, but it runs a fair bit deeper than that. In Betty Boy’s fourth hack message, he says something rather concerning when talking about what he discovers in his third hack; upon initiating the third hack, he claims to have discovered that the databases that he informed Babcock were compromised in the second hack… had the exact same passwords as before when he carried out the third hack. The live databases that he informed Babcock were breached and the information within were stolen, did not have their passwords changed despite this information being relayed to them.

Now to be absolutely fair, we have no reason to take Betty Boy’s words as truth, but for a moment let us entertain the idea that he is, in fact, telling the truth. This does not reflect well – at all – on Babcock’s ‘team of experts’ if their expertise does not include changing the passwords on breached information after being told it was breached. Betty Boy did not spare them on this point, using very colorful language to describe what can be summarized as ‘gross incompetence’, so much so that he believes he was ‘being pranked’ by Babcock’s engineers.

Paragraph seven is more of the same; Babcock insisting that their sensitive information remains unassailable and inaccessible by fraudsters and intruders, even as it gets assailed and accessed by a potential fraudster and intruder. A very, very poor look.

Paragraph eight provides an email and phone number through which Babcock can be reached for clarifications on the subject, and paragraph nine thanks their stakeholders for their continued support toward their sustained growth and development as a deliverer of ‘quality education in line with globally acceptable standards’.

Section D – My Thoughts

This section is opinion-based, and so it should be taken with a fair bit of salt, if not ignored outrightly.

Betty Boy uses a fair number of words – crass and otherwise – to describe Babcock’s infrastructure as thoroughly unsuitable. He minces no words on the topic, and reaches the conclusion that Babcock, through their actions on the digital infrastructure front, and their message on the public relation front, do not care about the digital security of its many wards. That the only conclusion that can be drawn is that Babcock is lax about the entire affair, if he, Betty Boy, can continue time and time again to breach their security ‘effortlessly’ as he puts it. As my football-loving student colleagues have put it, Betty Boy has gone ‘4-0’ against Babcock. This is a poor look.

The conclusion I draw from Babcock’s letter is that it is pure damage control. They sought to do whatever it takes to put out the very large fire in their lap, including outrightly lying to their stakeholders, staff and student populace that all was well, there was nothing to be concerned about, and everything is under control. As proven thoroughly, that is absolutely not the case. Sensitive data has been compromised. The scale of it is unknown and subject only to educated guesses. My guess is ‘everything’. I firmly believe that everything one could imagine could be compromised, is compromised. And while I do not want to sound any more like a catastrophizer, I believe that an amount of cautious alarm must be injected into the matter to counteract Babcock’s insistence that all is fine and dandy.

If you have had any dealings with Babcock whatsoever, you should act with the knowledge that your sensitive data is very likely in the hands of someone who does not have your best interests at heart.

Or maybe, that point on ‘best interests’ isn’t entirely true.

In the world of cybersecurity and penetration testing, the ‘hacker’ is a far more recognized term for the ‘security engineer’ or ‘penetration tester’; a trained IT professional who is tasked with testing the security of digital systems. Any and all twenty-first century organizations worth their salt make digital security paramount, as no one will want to do business with someone without utmost guarantee that they and their interests will be protected from opportunists and career criminals that have made breaching of digital fortresses their bread and butter.

In the world of cyber security then, it is necessary to quantify the various actors on the stage, one such method of doing so being the ‘colored hat’ classification of cyber security ‘knowledgeables’. Under this we have white, black and grey hat hackers. White hat hackers are the ‘good guys’; legitimate cybersecurity experts that work privately or under firms and are hired by interested parties to build or test their security systems, and give feedback on what may be improved. Black hat hackers are the hackers we are most familiar with; the cloak-and-dagger figure who lurks in the dark, breaching security systems and stealing data for blackmailing or financial gain. These are the people who steal your social media accounts, hack your emails, put viruses on your PC, and cost the world six trillion dollars in damages and repair in 2021, according to the World Economic Forum.

Where does Betty Boy lie then?

Betty Boy occupies the strange realm of the ‘grey hat’ hacker; the hacker whose methods may be unscrupulous, but their goals – in a vacuum – may be somewhat noble. From what we know and can extrapolate from what we aren’t explicitly told, Betty Boy isn’t planning to sell this information on shady corners of the internet for cryptocurrency and doom tens of thousands of people to a digital hell not even of their own making. As far as we know, his only motive has been the fact that ‘Babcock does not care’ and he feels that that this is the only way he can make them care.

It is common practice in the grey hat hacking world for these hackers to breach the security of various organizations and bodies – only to ring up that same organization on the phone and inform them of the flaws in their security systems. Some do it even to secure jobs at these organizations, as a way of saying ‘you have a problem and I know how to fix it, for a price’. Granted, this is a questionable at best, very underhanded at worst, method of doing things, but when weighed against the genuine damage doable by an actual malicious actor, one can see why a third party observer might feel the actions of a grey-hat are somewhat excusable, if not justifiable.

While I do not ask anyone to excuse the actions of Betty Boy, I ask us that we take a nuanced look at the issue beyond ‘he hacked the school website and stole all our data’. Did he? Yes, absolutely, this is an inarguable point, but he did so to raise a red flag on a very concerning issue. That Betty Boy could do it means anyone could, and this anyone includes genuinely bad actors who won’t be so kind as to tell us that they’ve stolen our data.

Conclusion, and a Concerning Notice

As I was composing this article, another message came in from Babcock’s public relations, one I will not dignify with anything approaching thorough analysis. There is nothing to analyze. It informs the reader that Babcock is ‘well aware’ of the situation and is handling things ‘very seriously’. They are working ‘tirelessly’ with ‘cybersecurity experts’ to ‘control the situation’ and ‘systems have already been put in place’ to ensure ‘no further damages are made’.

They acknowledge that this message ‘may cause anxiety and worry’ among methods of the Babcock community, but they really, really want to emphasize that the situation is ‘under control’ and that they are working hard to ensure the ‘safety and security’ of their website and sensitive data.

I suppose I should inform them, then, that Betty Boy’s final message to me was his plans to disseminate aforementioned sensitive data as he stated he would, on Sunday the 14^th of May.

Babcock closes with urging us to remain calm and not to panic. A kind, but hollow sentiment. I do not believe the situation is under control in any capacity whatsoever. I urge everyone to be very, very concerned. And unfortunately, the sad truth is that this was all out of our hands weeks ago. I don’t think there is anything that can be done to stop Betty Boy and what he plans to do on Sunday, or to reverse the damage that has already been done.

Babcock does assure us though, that business will proceed as usual, with exams holding as expected as well as all activities planned for the rest of the semester.

I guess that makes everything better.

Responsibility rests in the hands of the responsible. Let us see what happens on Sunday. I sympathize profusely with all my student colleagues, their parents, Babcock staff and others affiliated in one way or another with the school. We are all the real victims here. It is our data in a metaphorical limbo.

May God see fit to protect us all.