In the last year, higher education institutions have become top-tier targets for malicious actors. Why? Two critical elements: Enterprise-level tech infrastructure and (often) security that doesn’t dovetail with enterprise requirements.

According to SecurityWeek, attackers have just struck again — this time, sensitive information from the University of Virginia’s HR system has been breached, leaving 1,400 employees at risk of identity theft. What can higher ed organizations do to prevent this kind of compromise?

Two-Years of Sensitive Information?

A newly released security notice from the university stated that it was “recently notified” by the FBI about a data breach on its system. Apparently, the FBI’s investigation led to the overseas capture of several suspects.

It also revealed that in November 2014, cybercriminals gained access to the school’s HR systems, the W-2s of 1,400 employees and the direct banking information of 40 staff members. What’s more, these breaches continued until February 2015. While no other components of the university’s HR were compromised, the large gap between the initial attack and ultimate detection is worrisome; attackers had plenty of time to use and abuse employee data.

The University of Virginia isn’t the only recent target in the academic world. As noted by HackRead, the University of Connecticut had its official Web portal hacked and used to distribute malware disguised as a fake Flash Player update. In China, meanwhile, Tsinghua University’s website was compromised by ISIS militant supporters to display a pro-war image and slogan.

People Problems

Attackers are getting bolder. They’re willing to attack Web portals directly, grab any sensitive information they can from school systems and breach landing pages to promote political agendas. It’s worth noting, however, that the UVA attack came courtesy of a phishing scam that required users to click a link and then provide usernames and passwords.

Security expert Adam Levin of IDT911 pointed out to SecurityWeek that “even if their IT and information security departments did everything right, one or more employees who click on a malicious link can be unwitting co-conspirators in the compromise of a database holding the personal information of countless individuals.” In other words, even enterprise-level security and automation can’t account for all user behavior; a single wrong click can give criminals just the opportunity they need.

Solutions? Better training is always a good option: Teach students and staff never to open any attachments they don’t recognize and never enter login data into sites outside the university network. As noted by Technical.ly, there are also initiatives like Wilmington University’s Elite Award, which will pay out $313.73 in bitcoin to the student who “best exemplifies a passion for the cybersecurity profession” through a portfolio of extracurricular work. The idea here is to recognize the value of white-hat hacking and, more importantly, the role of ethical hackers in both improving the security of large institutions and minimizing the accidental damage caused by students and employees.

The UVA hack isn’t huge but speaks to the continued efficacy of people-prefaced attacks. It’s also among the first discovered in 2016. Given the current state of malware and rise of startup cybercriminal groups, expect an academic assault on sensitive data this year.