January 25, 2016 By Douglas Bonderud 2 min read

In the last year, higher education institutions have become top-tier targets for malicious actors. Why? Two critical elements: Enterprise-level tech infrastructure and (often) security that doesn’t dovetail with enterprise requirements.

According to SecurityWeek, attackers have just struck again — this time, sensitive information from the University of Virginia’s HR system has been breached, leaving 1,400 employees at risk of identity theft. What can higher ed organizations do to prevent this kind of compromise?

Two-Years of Sensitive Information?

A newly released security notice from the university stated that it was “recently notified” by the FBI about a data breach on its system. Apparently, the FBI’s investigation led to the overseas capture of several suspects.

It also revealed that in November 2014, cybercriminals gained access to the school’s HR systems, the W-2s of 1,400 employees and the direct banking information of 40 staff members. What’s more, these breaches continued until February 2015. While no other components of the university’s HR were compromised, the large gap between the initial attack and ultimate detection is worrisome; attackers had plenty of time to use and abuse employee data.

The University of Virginia isn’t the only recent target in the academic world. As noted by HackRead, the University of Connecticut had its official Web portal hacked and used to distribute malware disguised as a fake Flash Player update. In China, meanwhile, Tsinghua University’s website was compromised by ISIS militant supporters to display a pro-war image and slogan.

People Problems

Attackers are getting bolder. They’re willing to attack Web portals directly, grab any sensitive information they can from school systems and breach landing pages to promote political agendas. It’s worth noting, however, that the UVA attack came courtesy of a phishing scam that required users to click a link and then provide usernames and passwords.

Security expert Adam Levin of IDT911 pointed out to SecurityWeek that “even if their IT and information security departments did everything right, one or more employees who click on a malicious link can be unwitting co-conspirators in the compromise of a database holding the personal information of countless individuals.” In other words, even enterprise-level security and automation can’t account for all user behavior; a single wrong click can give criminals just the opportunity they need.

Solutions? Better training is always a good option: Teach students and staff never to open any attachments they don’t recognize and never enter login data into sites outside the university network. As noted by Technical.ly, there are also initiatives like Wilmington University’s Elite Award, which will pay out $313.73 in bitcoin to the student who “best exemplifies a passion for the cybersecurity profession” through a portfolio of extracurricular work. The idea here is to recognize the value of white-hat hacking and, more importantly, the role of ethical hackers in both improving the security of large institutions and minimizing the accidental damage caused by students and employees.

The UVA hack isn’t huge but speaks to the continued efficacy of people-prefaced attacks. It’s also among the first discovered in 2016. Given the current state of malware and rise of startup cybercriminal groups, expect an academic assault on sensitive data this year.

More from

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today