In April 2019, the Georgia Institute of Technology was affected by a major cyber attack. An unknown hacker accessed a central Georgia Tech database containing names, addresses, social security numbers and birth dates of former and current students as well as faculty and staff members. Overall, personally identifiable information (PII) belonging to around 1.3 million individuals was stolen in this massive data breach.
It seems to be a common belief that cyber attacks against universities remain far from common practice for threat actors. Indeed, stealing information belonging to students may seem less lucrative than stealing data held by bank employees or civil servants. Moreover, it is often assumed that tech-savvy universities with top-notch computer science programmes tend to be less vulnerable than other organizations. However, Symantec’s 2016 report puts higher education as the second most targeted services sector, behind healthcare, in terms of the number of cyber attacks. According to Kaspersky researchers, cyber attacks against universities seem to be proliferating. Three main reasons tend to explain this major trend.
First, universities need to run information systems that are accessible to a large number of constituents. Each year, thousands of new students are given access to the university networks, in addition to staff members, faculty members and researchers. As a consequence, unlike corporations which usually operate centralized networks with extremely restricted access, many universities still embrace more open information systems that are as user-friendly as possible, with minimal security interferences addressed to their third parties.
Second, many cybersecurity threats directed toward universities’ information systems come from insiders. For instance, a study from Jisc, a not-for-profit organisation providing digital solutions for UK education and research, showed that the number of Distributed Denial of Service (DDoS) attacks against UK universities was dramatically decreasing during school holidays, which might indicate that some of the attackers are students, staff, or other individuals familiar with the academic cycle. Among many possible motivations, the prestige induced by the ability to penetrate the information systems of one’s own university, or grudges against one’s university, may be fueling an increase in these types of attacks.
More worrisome, it appears that state-sponsored cyber attacks have also been directed toward universities. In 2018, hackers allegedly linked to the Iranian government launched a cyber campaign aiming at academic institutions in the United Kingdom, the United States, Canada, China, and Switzerland. One of the techniques used during this operation consisted of creating phishing webpages copying login pages of universities in order to steal credentials. It seems that the final goals of these attacks were to gain access to sensitive documents present on the library systems of these institutions.
This last story leads to the third reason potentially explaining the wave of cyber attacks against academic institutions: servers run by these organizations are actually hosting incredibly valuable data. Personally identifiable information such as names, addresses, education, and financial-related data regarding a large number of individuals is present on the servers of higher education institutions. This was illustrated by the Georgia Tech data breach, in which a large amount of PII was exposed, belonging not only to current students but also to past students. Moreover, universities often conduct sensitive research in collaboration with public institutions or corporations, and even sometimes with the defense sector. As a consequence, information systems of these organizations might sometimes be the weak link among all the stakeholders of confidential scientific programmes. On March 2019, the Wall Street Journal published a list of two dozen universities targeted around the globe by Chinese hackers. Maritime technology being developed for military use was the data targeted by hackers.
In spite of the strong interest shown by hackers toward data held by universities, it seems that the education sector is still not prepared to face cyber attacks. Indeed, in April 2019, a preventive spear phishing campaign was conducted by Jisc to test higher education institutions in the UK. The results showed a hundred per cent track record of gaining access to universities’ high value data within two hours. Over both the short term and the long term, it will become critical for the education sector to strongly invest in order to protect its information systems. Failing to do so would not only endanger their reputation but also put at risk all their constituents, and undermine the strong confidence put by the citizens in the academic institutions.
PII data breaches are one of the most critical threats CybelAngel is monitoring for its enterprise customers across the globe. If you’re interested in finding out whether your enterprise has leaked PII or other sensitive data, request a demo of the CybelAngel platform, or chat with CybelBot below!