March 12, 2015 By Douglas Bonderud 2 min read

On Jan. 22, the University of Chicago became aware of a cyberattack that targeted student records from its Biological Sciences department. According to ZDNet, university officials still aren’t certain when the hack started or how deep it went, but in a letter dated Feb. 22, the institution apologized for the threat to student and employee security and offered a one-year subscription to a credit-monitoring service. This isn’t the first time a university has been the victim of a data breach, and it certainly won’t be the last.

Known Quantities

University administrators now know that at least one Department of Medicine database was compromised, which included information about current students and employees in addition to data about former students, employees and even contractors.

The school’s letter indicates that stolen personal information ranges from names and Social Security numbers to employee IDs, usernames and physical addresses. However, it assured those affected that no banking information or other types of financial data were compromised.

Access to the database has been restricted while IT experts attempt to determine the exact scope of this data breach and for how long cybercriminals had access. So far, there’s no word on who might be responsible for the attack. The other unknown? Why universities keep popping up in the news for IT breaches.

Familiar Qualities?

Retail stores and health care agencies are both popular targets for cyberattacks because they deal with a high volume of sensitive consumer information, often with payment details attached. Post-secondary schools share some of these qualities, since students are required to provide a large amount of personal information and financial assurances to guarantee their enrollment. However, in comparison to the 70 million credit cards compromised in last year’s Target attack, the 300,000 students and faculty targeted at North Dakota University or the University of Maryland last year seem like just a drop in the bucket. With malicious actors now able to crack some of the world’s most complex and secure systems, why would they target universities?

There are two reasons. First, post-secondary IT security can sometimes be spotty. Several recent data breaches were successful because information wasn’t properly encrypted or network access policies simply weren’t up to snuff. The second reason is usability — students are typically slow to replace stolen cards or track credit ratings, and universities often wait months before disclosing the nature and scope of a breach. This leaves malicious actors with a significant amount of time to commit fraud without being detected and then move on to their next target.

The big lesson here for the University of Chicago and other post-secondary schools is that holding a large amount of student and employee records — both current and former — puts them on the same playing field as enterprises. Therefore, IT security must be tailored to match the value of assets, not assumptions.

Image Source: Flickr

More from

Router reality check: 86% of default passwords have never been changed

4 min read - Misconfigurations remain a popular compromise point — and routers are leading the way.According to recent survey data, 86% of respondents have never changed their router admin password, and 52% have never adjusted any factory settings. This puts attackers in the perfect position to compromise enterprise networks. Why put the time and effort into creating phishing emails and stealing staff data when supposedly secure devices can be accessed using "admin" and "password" as credentials?It's time for a router reality check.Rising router risksRouters…

Preparing for the future of data privacy

4 min read - The focus on data privacy started to quickly shift beyond compliance in recent years and is expected to move even faster in the near future. Not surprisingly, the Thomson Reuters Risk & Compliance Survey Report found that 82% of respondents cited data and cybersecurity concerns as their organization’s greatest risk. However, the majority of organizations noticed a recent shift: that their organization has been moving from compliance as a “check the box” task to a strategic function.With this evolution in…

The 5 most impactful cybersecurity guidelines (and 3 that fell flat)

4 min read - The best cybersecurity guidelines have made a huge difference in protecting data from theft and compromise, both in the United States and around the world.These guidelines are comprehensive sets of recommended practices, procedures and principles designed to help organizations and individual people safeguard their digital assets, systems and data from malicious attacks. They can cover a wide range of practices and exist in part to collect and share best practices and strategies based on industry standards and expert knowledge. Crucially,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today