The average university remains very vulnerable to cyber attacks. Over the course of 2018, more than 50 United Kingdom universities were hacked. In all cases, the attackers were able to breach defenses in one to two hours. They gained access to the financial systems of each school as well as the personal information of the faculty and student body.
So why didn’t you read about this in the papers? These hacks were carried out by Jisc, the non-profit company that effectively governs internet access at the country’s institutions of higher education. Jisc’s team of penetration testers put the cyber security policies of the country’s schools to the test, and reported back with a 100% breach rate.
Meanwhile, in America, Georgia Tech was hacked by a much less benign operator and the records of up to 1.3 million faculty and staff were exposed. The school only has about 27,000 students at any given time, so the hack numbers suggest that many years worth of older records were exposed.
Dan Tuchler, CMO at SecurityFirst, had a quick reaction:
“How ironic that a university with a high ranking in computer science, which offers courses in cybersecurity, got hacked. This in a state which has had privacy regulations in place – the Georgia Personal Identity Protection Act – since 2007. This is a clear example of the need for encryption of personal data. Hackers always find a way in and they need to be stopped before they get the personal data.”
The UK hacks
The Jisc attackers used a variety of techniques, but in most cases it was tried-and-true “spear phishing” that got them through the door in about an hour.
UK universities are a popular target for hackers, particularly nation-state actors interested in ongoing research. Iran has shown a particular interest in the country’s technological research. Opportunists are also always happy to deploy ransomware when they see an opening. And UK universities have experienced an uptick in distributed denial of service (DDoS) attacks in the past year, which Jisc believes are originating from staff or students based on their timing and patterns. It’s a demographic that is vulnerable to cyber attacks, yet is often ill-prepared for them.
Jisc researchers surveyed the universities in question earlier in 2018 about their security readiness. Only 15% of the senior IT staff surveyed scored their readiness at an eight or higher on a scale of 10; the mean score across all surveys was 5.9. The IT professionals surveyed cited lack of staff, budget and attention from senior leadership as the primary reasons for feeling that their schools were vulnerable to cyber attacks.
The Georgia Tech hack
Georgia Tech was hacked by an unknown outside party, who appears to have first gained access to their systems in December 2018. The school didn’t discover the breach until March 21, and didn’t disclose it until April 2.
The attackers apparently broke in by way of a faulty web application; the breach appears to have been discovered by the app developers when a significant performance drop was observed.
The school has since patched the vulnerability, but the unknown hacker had access to records for roughly three months. Based on the number of records listed, it’s safe to assume they had access to faculty and student information dating back as far as two decades. Birth dates and social security numbers “may have” been accessed according to the school’s formal statement, making this a very serious security failure on the part of the university.
This was not the first serious cyber security problem for the university, which has repeatedly proven to be vulnerable to cyber attacks. A 2007 hack exposed information including the social security numbers of up to 3,000 staff members as well as 400 state credit card numbers used for school purchases. In late 2016, an attack exposed employee social security and bank account numbers to an unknown party for about 30 minutes. And in 2018, a phishing attack harvested email addresses and potentially impacted 8,800 students.
As Dan Tuchler noted, Georgia Tech has been lauded for its IT prowess. The school’s own website currently boasts that it’s considered the #2 cyber security college in the US by Degree Prospects, U.S. News and World Report’s #2 graduate school for IT public policy, and their #4 graduate program for computer engineering. The school is also a university affiliated research center for the Department of Defense and was the 2015 winner of the Internet Defense Prize awarded by USENIX Security and Facebook. Strange, then, that it appears to be so vulnerable to cyber attacks.
Universities remain vulnerable to cyber attacks; Is encryption the answer?
These recent examples highlight several cyber security problems that universities are subject to.
Even if competent IT personnel are on hand, budget limitations and inadequate staffing can still create openings for a security breach. Much of this flows from risk management decisions made in boardrooms. The boards of universities are usually composed of people who have little to no background or experience in cyber security.
Universities have unique considerations in terms of data breach risk management policies. With a traditional business, it may boil down to a simple cost/benefit analysis if there isn’t a significant amount of personal information involved. Universities are sitting on top of a trove of non-employee personal information, however. Students expect that information to be protected not just for the sake of privacy and preventing identity theft, but also because it can have an impact on their future academic and workplace careers.
These examples demonstrate that even well-regarded universities are vulnerable to cyber attacks and definitely have room for improvement in terms of cyber security budgeting and planning. However, a determined attacker is likely to make their way into any system eventually. This is why a robust data encryption policy for personal information makes so much sense. An attacker that penetrates the network faces the added barrier of breaking the data encryption after exfiltrating it; if the data is encrypted properly, it is unlikely they will be able to do so. Encryption of personal data alone makes schools significantly less vulnerable to cyber attacks.
The University of Leicester, one of the schools that Jisc services and tests, advises that personal data be encrypted when “outside a secure University location.” These recent examples make clear that the university’s central database should perhaps also no longer be considered a “secure University location.” While it is no doubt more secure than the average student’s laptop, it is also much more of a target of interest for skilled attackers.
