Quorum Cyber sponsored the HEPN South conference once again, on 13th-14th November 2025, held by PNE in London.

Quorum Cyber’s Field Chief Information Security Officer, Richard Holland, and Incident Response Director, Dan Saunders, were on stage on 14th November, providing the audience from the higher education sector with an engaging presentation about a real cyber-attack, which Richard experienced not too long ago.

The presentation revealed exactly what happens when a university suddenly discovers that it’s been compromised by a threat actor, and what organisations should do when dealing with a cyber crisis.

In the 20-minute talk, Richard, who was formerly Assistant Director in the Office of the CIO for Queen Mary University of London, told how, mid-way through an important finance meeting one afternoon, his team was informed that confidential data belonging to the university had appeared on the dark web. Richard took the audience through the stages of the attack chronologically from Day 0 all the way through to three months later when the university had finally recovered.

Alternating with Richard on stage, Dan added his insights from a defenders point of view, explaining what organisations could do to prevent this type of attack from happening in the first place, and how to best handle the incident technically and how to manage communications with internal and external stakeholders, as well as the press.

“It’s vital to consider your employees’ welfare through a cyber crisis,” said Richard as he relived the experience of working long hours in a high-stress environment for weeks after the initial incident came to light.

When the unexpected happens and the importance of asking for help

On first being informed that the university’s data was available on the dark web, Richard and his team had to inform executives and create a War Room to understand exactly what had taken place and who was behind the data breach. Richard had to decide which systems to shut down to protect the university from further damage. His team was constantly under pressure and having to make extremely difficult decisions, while preventing the story from leaking to the media.

Richard called the National Cyber Security Centre (NCSC) for support, but the GCHQ branch was too busy with other cyber-attacks to be able to help. He decided to call in Quorum Cyber for support, which has thousands of hours of incident response experience over hundreds of different cases. Quorum Cyber’s team of incident response experts promptly helped the university mitigate damage and efficiently recover.

What to do in the heat of the moment

Dan spoke from the defender’s view, explaining exactly what the university should have done at each step, and on each day after the cyber-attack. “The first 24 hours are critical,” he said, who advised universities to “be prepared, be proactive.” Dan urged organisations to leverage trusted cyber security vendors who are vetted and qualified. “The incident response team will aide you in the incident management process and help coordinate the necessary technical and strategic workstreams necessary to recover from and mitigate the cyber crisis.”

He added that universities need to consider both their internal and external exposure. Shadow IT networks need to become a thing of the past and proactive security controls and 24/7 monitoring of the IT environment is critical. Furthermore, actionable threat intelligence is invaluable in this situation because it will assist with enabling you to make informed decisions during the investigation and recovery strategy if you understand the modus operandi of the threat actor.

Richard disclosed that the first cybercriminal to compromise the university’s security has sold access to other threat actors, so fast action was required to prevent more data being stolen.

“It’s important to know where data is stored, where the crown jewels of the organisation are kept,” said Dan. He explained that an experienced and certified cyber security partner does so much more than just contain the threat and secure the IT environment. At Quorum Cyber, we advise how and when to communicate to the university’s board of directors, insurance companies, law firms, law enforcement, the Information Commissioners Office (ICO), any other parties that may be impacted, and the media.

A successful recovery

Three months after Day 0, after eradicating the adversary, after rebuilding 600 laptops, and after removing all use shadow IT, the university was finally back running smoothly and safely. Thanks to Quorum Cyber’s expertise, Queen Mary University of London now benefits from 24/7 monitoring, detection, and response, and has a world-class Incident Response team ready to act if the very worst should ever happen again.

You can read the full customer case study from Queen Mary University of London to learn more about how Quorum Cyber supported the university through one of its worst days.

Browse our range of services

Discover our incident response services to see how we can protect your organisation before, during, or after any cyber incident. Our Emergency MDR service is designed to swiftly help during or immediately after a cyber-attack, while our service Clarity Data will empower you to master and safeguard your most precious assets. You might also be interested in our Cyber Resilience Assessment, which is designed to give you a deep understanding of your current cyber risk.

Please get in touch to discuss any of these services or any of the points Dan and Richard covered in their presentation at HEPN South.