January 25, 2016 By Douglas Bonderud 2 min read

In the last year, higher education institutions have become top-tier targets for malicious actors. Why? Two critical elements: Enterprise-level tech infrastructure and (often) security that doesn’t dovetail with enterprise requirements.

According to SecurityWeek, attackers have just struck again — this time, sensitive information from the University of Virginia’s HR system has been breached, leaving 1,400 employees at risk of identity theft. What can higher ed organizations do to prevent this kind of compromise?

Two-Years of Sensitive Information?

A newly released security notice from the university stated that it was “recently notified” by the FBI about a data breach on its system. Apparently, the FBI’s investigation led to the overseas capture of several suspects.

It also revealed that in November 2014, cybercriminals gained access to the school’s HR systems, the W-2s of 1,400 employees and the direct banking information of 40 staff members. What’s more, these breaches continued until February 2015. While no other components of the university’s HR were compromised, the large gap between the initial attack and ultimate detection is worrisome; attackers had plenty of time to use and abuse employee data.

The University of Virginia isn’t the only recent target in the academic world. As noted by HackRead, the University of Connecticut had its official Web portal hacked and used to distribute malware disguised as a fake Flash Player update. In China, meanwhile, Tsinghua University’s website was compromised by ISIS militant supporters to display a pro-war image and slogan.

People Problems

Attackers are getting bolder. They’re willing to attack Web portals directly, grab any sensitive information they can from school systems and breach landing pages to promote political agendas. It’s worth noting, however, that the UVA attack came courtesy of a phishing scam that required users to click a link and then provide usernames and passwords.

Security expert Adam Levin of IDT911 pointed out to SecurityWeek that “even if their IT and information security departments did everything right, one or more employees who click on a malicious link can be unwitting co-conspirators in the compromise of a database holding the personal information of countless individuals.” In other words, even enterprise-level security and automation can’t account for all user behavior; a single wrong click can give criminals just the opportunity they need.

Solutions? Better training is always a good option: Teach students and staff never to open any attachments they don’t recognize and never enter login data into sites outside the university network. As noted by Technical.ly, there are also initiatives like Wilmington University’s Elite Award, which will pay out $313.73 in bitcoin to the student who “best exemplifies a passion for the cybersecurity profession” through a portfolio of extracurricular work. The idea here is to recognize the value of white-hat hacking and, more importantly, the role of ethical hackers in both improving the security of large institutions and minimizing the accidental damage caused by students and employees.

The UVA hack isn’t huge but speaks to the continued efficacy of people-prefaced attacks. It’s also among the first discovered in 2016. Given the current state of malware and rise of startup cybercriminal groups, expect an academic assault on sensitive data this year.

More from

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts are…

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today