If you’re looking for information on pretty much any topic, a university is a good place to start. Hackers are now using the same logic, launching cyberattacks on institutions of higher education to access personal information on thousands of students, faculty and staff.
Hundreds of data breaches over the past decade suggest that U.S. universities are a promising hunting ground for cyber thieves looking to obtain valuable identification information. While the goal is often to sell those personal details or commit fraud, other times the objectives are closer to cyber-espionage.
Earlier this month, Harvard University said a data breach occurred on June 19, affecting individuals affiliated with eight out of their 12 schools. On its website, university officials said they have “no indication that research data or personal data managed by Harvard systems (such as social security numbers) have been exposed.”
That makes Harvard an anomaly.
Between 2005 and 2013 there were 551 data breaches at U.S. universities, according to a study published last year by Educause, a group that works with universities and technology companies and provides IT systems to institutions. Educause analyzed data from the Privacy Rights Clearinghouse, a nonprofit working to raise awareness of how technology affects privacy.
Another study by the Identity Theft Resource Center found 42 colleges and universities fell victim to cyber attacks in the last year.
“Higher education accounts for 17 percent of all personal information data breaches,” said Kennet Westby, president of Coalfire Systems Inc., a cybersecurity firm that often works with universities. “Only the medical sector (27 percent) is victimized more.
Hackers are often drawn to university systems because of network vulnerability, the research available at universities, and the availability of large collections of personal data from students and employees.
“Those networks are always up, available and are going to have high bandwidth,” said Mike Oppenheim, intel operations manager at the cybersecurity firm FireEye Inc. “So if you’re going to use those for infrastructure for jump-off points to hit other networks that are the true victim, those universities’ networks are great for infrastructure.”
Westby said the vulnerability of networks is tied to campus culture.
“Higher education is particularly vulnerable because colleges’ and universities’ computer networks have historically been as open and inviting as their campus,” he said in an email. “They want faculty, students and donors to connect easily to their networks.”
Data breaches can also impact individuals off-campus. At the University of California, Berkeley, school officials in late April said roughly 260 former and current undergraduate students, as well as 290 parents and family members of students, had their Social Security numbers exposed by hackers.
Four months earlier hackers accessed the university’s Real Estate Division and compromised 1,300 Social Security numbers and 300 credit card numbers belonging to current and former campus employees, along with info on employees of companies engaged in business with the division.
The University of Maryland suffered a data breach exposing records of 287,580 faculty, staff and students, in addition to affiliated personnel from College Park and Shady Grove campuses, in February 2014. Hackers accessed names, Social Security numbers, dates of birth and university identification numbers.
Most of these attacks originate from countries like China, Russia and Iran, according to Oppenheim, though he singled out Chinese groups as being the primary perpetrators.
When Pennsylvania State University said in May that 18,000 members of their engineering school had personal information, including Social Security numbers, exposed in two hacks, the university hired FireEye for damage control. The firm later said that at least one of the hacks originated from China.
The personal information compromised in these cyberattacks is easily bought and sold on the black market.
A December 2014 study by Dell Inc. found that for just $30 an individual on the black market could purchase all the information needed to commit identity theft: full name, home address, phone number, email addresses and passwords, Social Security numbers and employee identification numbers.
“The data is absolutely used to commit fraud,” Westby said of the university hacks.
But Oppenheim said that sometimes it’s a bit more complicated than that.
“The nation-state actors that we prominently talk about as advanced, persistent threats are not in this to sell data like that – they’re in this for espionage-type reasons,” he said. “It’s not to steal their credit. It’s, ‘I want to know this person so I can track their activities throughout time.’ Or it’s to understand who this person is and what they’re working on.”
Oppenheim and Westby both said professors’ research plays an important role as well.
Hackers “are in there to take intellectual property, research in areas of interest to them, or to try and get some type of identifiable information for human intelligence collection on these people,” Oppenheim said.
Westby added that “hackers are also increasingly targeting intellectual property and sensitive research,” adding that such IP data appears to have been the main target in Harvard’s data breach.
Privacy Rights Clearinghouse data shows that 28 educational institutions were breached last year, amounting to compromised records for almost 1.1 million people.
The increase in data breaches, not just at universities, has prompted some congressional action. The House passed two cyber info-sharing bills earlier this year that would create a framework for the federal government to collaborate with the private sector with the aim of preventing cyberattacks. The Senate has yet to vote on a related measure.
In the meantime, Oppenheim said, “defense firms are always playing catch-up.
Data breaches are “inevitable, so you need to know how to set up your defense by identifying what your most valuable assets are and trying to protect those as best you can so that you can both contain it and start investigating quickly,” he said.
Westby noted that too many universities underestimate the cyber threat.
“Information security has been historically unappreciated and underfunded within higher education,” he said. “As these breaches become more commonplace and receive more attention, we expect information security to become a higher priority for university administrators.”
Some universities already contract outside firms to handle their security. Joanna Grama, director of cybersecurity and compliance programs at Educause, said her firm knows “that 17 percent of U.S. institutions have reported some operating outsourcing expenditures for information security services.”