The Higher Education sector increasingly attracts hackers due to huge amounts of critical information its systems store. This data refers to personal information of employees and students along with top universities’ research materials.
The research conducted by EdGuards Company, describing cybercrime development in the U.S. Higher Education sphere and notorious incidents caused by malefactors’ activity, reveals that a starting point of data breaches dates back to 2002.
Higher Education cyber attacks initiated
The first deal of cyber criminals in Higher Education was an attack on Yale’s system in 2002 by hackers from Princeton University. A target of the espionage was information on the admission decisions. In 2003, there were several attacks directed on students’ and staff members’ personal information. The statistics wasn’t upbeat – about 2,000,000 records of California universities were stolen within three breaches in 2004.
Personal data as the main target in the middle noughties
June 2005 left an indelible mark on the University of Hawaii – the personal data of 150,000 students, staff and library patrons was stolen by (you may not believe) a former librarian who compromised it in order to obtain fraudulent loans.
The University of Utah continued the library story – around 100,000 names and social security numbers of former employees were stolen from archival databases.
Next year, cyber attacks aimed at personal information increased dramatically. The breach of University of California at Los Angeles (UCLA) database caused the loss of nearly 800,000 records of faculty and staff, parents and student applicants.
Attackers focus on PeopleSoft system
Oracle’s PeopleSoft is a system that is broadly used by colleges and universities. The first attack on the PeopleSoft system that received wide media coverage happened in 2007. Three hackers used keylogging software on computers to steal passwords and then logged into the PeopleSoft system at Florida A&M University. The aim was changing the grades. The data was recovered but malefactors repeated their attack. As a result, the data of 90 students was modified by about 650 grade-changes.
In 2008, personal data was still the main aim of malefactors. However, the size of breaches increased significantly – from 70,000 stolen records to 700,000.
2012 was notorious due to a cyberattack on a PeopleSoft system. A student at the University of Nebraska compromised university’s PeopleSoft system and accessed the database so that critical information of 654,000 students and employees was exposed. Moreover, it led to leakage of the bank account details of 21,000 people. The stolen records included the information on 1985 spring alumni. Chadron State, Peru State, and Wayne State colleges were also impacted because two years earlier Nebraska college system started using NeSIS, a shared student information system. The former student pleaded guilty to one count intentionally damaging a protected computer while total harm was evaluated at $5,000. The university officials created a webpage devoted to the incident.
Another breach of PeopleSoft system happened a year later in Massachusetts Salem State University. The aim was erstwhile – personal data.
Higher Education cyber attacks size record
The personal data of 2.4 million current and former students and employees of the Maricopa County Community College District was compromised and then discovered by FBI on a website offering for sale.
A new stage of cybercrime development
During 2014-2016, not only the number of attacks rose significantly, but also breaches became more aggressive and advanced.
The main point of this period was a considerable increase in number of attacks. According to the statistic provided by Verizon’s annual Data Breach Investigations Report, the frequency of security breaches affecting universities multiplied almost ten times.
By 2017, the number of cyber attacks vastly grew to 393 (in 2012 there were only 5).
More than a data breach – cyber espionage campaign on Higher Education
In comparison with 2005, 2018 illustrates a tremendous increase in cybercrime sizes.
In March 2018, over 300 universities worldwide suffered from a giant cyberattack organized by nine Iranian hackers. According to the official information, 31 terabytes of “valuable intellectual property and data” was exposed. This case became one of the biggest hacker campaigns.
Summary
A short but intense history of cyber attacks in Higher Education has shown that attackers, who are becoming increasingly equipped and sophisticated, keep targeting universities. Business applications such as HR, Financial and Campus Solutions based on PeopleSoft or other systems are in the greatest risk because of critical data they store and process.
Despite the small number of stolen accounts, hackers’ goal remains personal data, social security numbers, and financial information. When storing massive archives of outdated information, universities put at risk data of former students and employees. Criminals may use data to open up a new credit card or collect taxes refund that makes the impact of breaches more destructive.
The constant development of technologies provides Higher Education with new challenges to face. In terms of cybersecurity, the overview of the previous experience is the initial stage of effective defense.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.