A Recap of Recent Cybersecurity Incidents at Universities
When considering cybersecurity, many may first think of cutting-edge tech companies. Healthcare providers may spring to mind for others and government agencies for still others. But strong cybersecurity—if it’s not already—is becoming paramount in every sector, and if the recent attacks tell us anything, it’s now paramount for universities as well.
Stories out of the University of Minnesota and Indiana University—among others—have demonstrated that cybercriminals have set their sights on institutions of higher education, which means that schools need to be on high alert.
They also need to know what they’re up against. As cybersecurity assessors, we’ve helped our share of organizations cope with attacks similar to those being aimed at colleges, and so to help you get up to speed, we’re going to detail three big ones so that other schools can understand the breadth of the threats being aimed at schools and can begin to make preparations to avoid similar issues.
Education may not be the first sector anyone thinks of when considering cybersecurity, but those operating within it should certainly have cybersecurity on their minds.
5 Cyber Attacks on Universities You Need to Know About
1. University of Minnesota – Database Hack
Though the school only realized in July 2023 that the 2021 breach had occurred, they confirmed a criminal incursion into a database that contained financial aid applications, which are comprised of a slew of personal information, including:
- Full names
- Contact information such as addresses and telephone numbers
- Social Security numbers
- Driver's license and passport information
Such data that was compromised dated back to 1989 and consisted of information regarding prospective students, students who did attend the school, and staff. UM’s operations were never impacted, nor was their access to their data ever restricted, which likely contributed to the attack flying under the radar for such a long time as the school didn’t realize what had happened until they learned the hacker was posting the stolen sensitive data online (in 2023).
2. Indiana University – Unprotected Third-Party Assets
Every year, across hundreds of higher-learning institutions across the U.S. (and Canada), thousands of students—including transfers—take the Beginning College Student Engagement Survey (BCSSE) and share information about their prior academic and co-curricular experience, as well as their expectations for the coming year.
As part of this survey, students provide their full names and student card numbers, as well as other personal information like their sexual orientation, race, and ethnicity. The BCSSE is intended to remain mostly confidential, but outside researchers found that Indiana University stored this data on two unprotected Azure Storage blogs that contained over 1.3 million exposed files.
That was in May 2023—in July 2023, cybercriminals posted an IU database and almost 250k records, including names and email addresses, to a forum for stolen data (though the university maintains that information was already in the public domain).
3. University of Georgia – Third-Party Software Vulnerability
In September 2023, the University of Georgia confirmed that cybercriminals gained access to data stored in the MOVEit Secure File Transfer and Automation software that UGA was using to store and transfer sensitive data.
Progress Software—MOVEit’s creator—identified a defect in their program that may have exposed data. Though it remains unclear when the hack occurred, an unauthorized party indeed accessed university data that included, among other personally identifiable information:
- Student names, as well as faculty members’ names
- Contact information such as addresses, phone numbers, and email addresses
- Social Security numbers
- Staff salary and benefit information
The breach at UGA was part of a larger one affecting the University System: according to other reporting, other related victims of the same criminals—which are thought to be the Russia-linked gang Cl0p—include Johns Hopkins University, Washington State University (WSU), and Colorado State University, among others, as well as some U.S. banks, international companies, and several state governments.
4. Lincoln College – Ransomware
A historically Black university located in rural central Illinois, Lincoln College—a small school of about 600 students—became the first American college to shutter its doors due to a ransomware attack on the school in 2021 after 157 years in operation.
Already struggling due to the COVID-19 pandemic, the school became “a victim of a cyberattack in December 2021 that thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrollment projections," according to an announcement posted to the school’s website.
Though no personal identifying information was ever exposed, the systems impacted by the breach included those required for recruitment, retention, and fundraising efforts, which were inoperable for three months until March 2022. Though the school never disclosed the attackers or what they asked for, some news reports say that the ransom attack is thought to have originated from Iran and the demand was less than $100,000 (which was paid).
The school would close in May 2022—it did not survive ransomware, despite having endured “many [other] difficult and challenging times – the economic crisis of 1887, a major campus fire in 1912, the Spanish flu of 1918, the Great Depression, World War II, the 2008 global financial crisis, and more.”
5. University of Pisa – Ransomware
Cybersecurity attacks on universities aren’t limited to the United States. In June 2022, the University of Pisa fell victim to the BlackCat ransomware group which seized the university’s IT system before seeking a ransom of a whopping $4.5 million, making it one of the bigger ransoms demanded in 2022.
Though we still don’t know if the school was forced to pay the hackers their demands, at the very least, we do know that BlackCat, in its ransomware, uses a modern programming language (Rust) adept at evading detection, which no doubt allows them to deal more damage. Regardless of whether or not the university paid, the attacker’s demand still ranked among the biggest ransomware amounts of 2022.
Consequences for Poor Cybersecurity in Universities
All this to say, universities and colleges, especially those with research labs, have become frequent targets for hackers—particularly those peddling ransomware—no doubt due to the sector’s overall lack of investment in cybersecurity, which is now, unfortunately, being brought to harsh light.
What’s worse is that the consequences can be devastating. Like Lincoln College, many schools don’t have major funds to pay their ransomware attackers, but the impact of cyber incidents at universities can go beyond the financial:
- Operational Disruptions: Depending on the sophistication and what is compromised, attacks may even force an institution to shut down for days.
- Academic Interruptions: If systems are compromised, examinations and admissions processes may need to be postponed, and classes may need to be canceled, stalling the student learning process.
- Exposure of Personal Data: If the personal data of students or staff is compromised, that leaves them vulnerable to identity theft, among other issues.
- Reputational Damage: Though universities have worked hard to stay tight-lipped about the details of attacks, cyber incidents garner negative media attention which erodes the trust of current and prospective students, their parents, and staff.
Cybersecurity in Every Sector
As you’ve just learned, cybercriminals are creative and have already targeted a wide variety of schools, and to avoid the similar negative fallout suffered by the universities mentioned, other institutions must take steps to better protect themselves, especially as the threat landscape continues to evolve and attacks grow more sophisticated.
There are several good steps you can take to understand your cyberattack preparedness and security gaps—Schellman offers several different services that may be of some use:
- Ransomware Assessments – We can help you develop a holistic risk assessment plan that specifically addresses the latest ransomware threats and mitigation strategies.
- NIST Cybersecurity Framework Assessments – Adhering to the NIST CSF can help you address risk, enhance security, and demonstrate compliance, and we can assess you to further validate your efforts.
- ISO 27001 Certification – ISO 27001 is one of the most popular information security frameworks currently sought by organizations of all types as its holistic approach requires a comprehensive management system be implemented to secure information.
- Penetration Testing – Penetration tests, of which there are many different types, are all authorized simulated attacks to evaluate the security of a system, and having one performed can both demonstrate your commitment to data security and identify any vulnerabilities in the tested system.
- Cybersecurity Maturity Model Certification (CMMC) – As the Department of Defense’s (DoD) new approach to risk management of their supply-chain, CMMC applies to university research labs and other related facilities who must improve their cybersecurity to this standard if they wish to continue to work with the government.
To learn about how we can help and get started on improving the cybersecurity at your university, contact us today.
About SCOTT ZELKO
Scott Zelko is a Managing Director at Schellman. Scott leads the Northeast Practice and the ISO Certification service line including ISO 27001, ISO 9001, ISO 20000, and ISO 22301. He works with many of the world’s leading cloud computing, FinTech, and security provider clients. Scott has more than 30 years of experience in the information technology field including IT management, system implementations, attestation and other advisory services and holds multiple certifications in the areas of Security, Privacy and Enterprise Governance. In addition, Scott works with clients to develop unified compliance strategies to meet internal, regulatory and client requirements.