The education sector is increasingly vulnerable to simple and sophisticated cyber threats, and higher learning is especially vulnerable. No matter how airtight a university’s cybersecurity system is when operating in a vacuum, the best-laid plans begin to crumble as soon as third parties less concerned with maintaining that security get involved.
And, increasingly, students are either less concerned or less caring about their school’s security infrastructure and compliance and are direct causes of these breaches, according to a mid-year 2022 report from Check Point: “Students are not employees; they use their own devices, work from shared flats, and connect to free WiFi without necessarily thinking about the security risks. This combination of a lack of understanding and ignorance has contributed to the perfect storm, giving hackers a free run,” he said.
These attacks also tend to be more successful in access and payout in the event of ransom demands, with 74% of attacks ending successfully for hackers. Here are a few prime examples of cyber-attacks in the education sector.
Albuquerque, New Mexico hit with a one-two punch
From December 2021 through January the following year, Bernalillo County was slammed by a ransomware attack that targeted government services. Freshly on the heels of this cyber security nightmare, the Albuquerque school system was breached.
Specifically, the school attack targeted critical systems and “compromised the student information system used to take attendance, contact families in emergencies, and assure that students are picked up from school by authorized adults.” This type of personally identifiable information and verification processes are vital to student safety, and the school was closed as officials dealt with the issue.
Amongst other things, the Albuquerque attack illustrates the importance of dispersing critical services amongst multiple systems, providers, or software, even if doing so disparately is inconvenient. From banking to personal data collection, schools must ensure that their systems come with security features and that their employees comply with those security features.
Whitworth University compromised
In July, poor password hygiene led to another ransomware attack. In this, nearly a terabyte of student data was stolen, and systems were taken offline for over a month as frustrated staff and faculty were kept in the dark by the administration. Many found out what was happening from a third-party cybersecurity firm via Twitter.
The group known as LockBit is notorious for sending email attachments to trick gullible workers into providing access or passwords to access systems before capturing data and holding it hostage.
From Microsoft’s report: “LockBit is typically deployed during human-operated ransomware campaigns. Attackers distribute this ransomware as an email attachment or try to exploit vulnerabilities in web browsers and other services exposed to the internet. Once in the network, attackers steal credentials, move laterally to other devices, and obtain privileged credentials before installing this ransomware on multiple target devices.”
This type of increasingly common attack shows that, no matter how secure a system, human error and lack of security protocol knowledge can still bring a firm or school to its knees.
The University of California at San Francisco pays over $1M to hackers
While researching COVID-19, hackers shut down UCSF’s epidemiology and biostatistics department demanding $3 million to get the system and data back. The cause, again, was poor protocol implementation by people as “the researchers hadn’t taken the time to duly back up their data.”
This breach was of physically present servers, rather than a breach of third-party cloud security and also shows how typical security protocol is sometimes less effective than, say, blockchain-based systems.
Publishing portions of the data on the dark web as proof, the hackers’ representative, known as Operator, negotiated with university administrators through secure digital chat and demanded the payout: “You need to understand, for you as a big university, our price is shit. […] You can collect that money in a couple of hours. You need to take us seriously. If we’ll release on our blog student records/data, I’m 100% sure you will lose more than our price what we ask.”
After back-and-forth negotiations, the university was lucky enough to agree to a payout of 116 Bitcoin worth, at the time, $1.14M to get their data back. Again, this incident demonstrates the importance of maintaining backups of data (especially sensitive and critical data) and managing human behavior as they access the systems. It also shows how inexpensive even pricy frontloaded costs can be compared to the aftermath of not spending it, as paying at least $60 an hour is still less expensive than a multi-million dollar payoff to hackers.
While these are just a few high-profile examples, these types of attacks and demands happen to schools often and are sometimes under the radar as officials try to avoid embarrassment. One report from Sophos shows the full spectrum of what’s happening in the education sector’s cybersecurity systems. The report is comprehensive and comprises IT professionals from 320 lower-education and 410 higher-education systems across 31 countries, so it is particularly applicable to interested professionals:
Attacked by ransomware
- 56% of lower education respondents were hit by ransomware in 2022
- 64% of higher education
This is a sizable increase from a 2021 average of just 44% across education. And, compared to global norms, these statistics are higher than average, indicating that education is a ripe target: “the education sector is poorly prepared to defend against a ransomware attack, and likely lacks the layered defenses needed to prevent encryption if an adversary does succeed in penetrating the organization.” That layered approach to security is critical, as creating additional barriers can frustrate and repel lower-level hacking groups looking for easy money.
Often, educational institutions see cyber insurance as a needless expense. Until they need it. Unlike professional organizations and companies, education has a much lower cyber insurance policy protection rate. This predominantly appears to be a cost-based issue and is driven by a lack of understanding on the administrations’ parts:
- 39% in lower education and 44% in higher education say fewer providers are offering cyber insurance
- 50% in lower education and 49% in higher education say the level of cybersecurity they need to qualify for cyber insurance is now higher
- 46% in lower education and 40% in higher education say policies are now more complex
- 35% in lower education and 41% in higher education say the process takes longer
- 34% in lower education and 31% in higher education say it is more expensive
All of this shows that, of course, schools need to take these policies seriously. But it is also a failure of cyber insurance providers to adequately message the threat level and importance of having a policy.
Overall, smaller and less well-known schools are more vulnerable. These schools often have less sophisticated security systems and are more likely to pay out. But no matter the size, a common trend is that employees and students not following simple cybersecurity protocols is a primary driver of hacker access to school data systems. This isn’t the final stop for security, though, and Sophos offers some additional tips based on their research trends:
- Ensure high-quality defenses at all points in your environment. Review your security controls and make sure they continue to meet your needs.
- Proactively hunt for threats so you can stop adversaries before they can execute their attack – if you don’t have the time or skills in-house, work with a specialist MDR (managed detection and response) cybersecurity service.
- Harden your environment by searching for and closing down security gaps: unpatched devices, unprotected machines, open RDP ports, etc. Extended Detection and Response (XDR) is ideal for this purpose.
- Prepare for the worst. Know what to do if a cyber incident occurs and who you need to contact.
- Make backups, and practice restoring from them. Your goal is to get back up and running quickly, with minimal disruption.