March 12, 2015 By Douglas Bonderud 2 min read

On Jan. 22, the University of Chicago became aware of a cyberattack that targeted student records from its Biological Sciences department. According to ZDNet, university officials still aren’t certain when the hack started or how deep it went, but in a letter dated Feb. 22, the institution apologized for the threat to student and employee security and offered a one-year subscription to a credit-monitoring service. This isn’t the first time a university has been the victim of a data breach, and it certainly won’t be the last.

Known Quantities

University administrators now know that at least one Department of Medicine database was compromised, which included information about current students and employees in addition to data about former students, employees and even contractors.

The school’s letter indicates that stolen personal information ranges from names and Social Security numbers to employee IDs, usernames and physical addresses. However, it assured those affected that no banking information or other types of financial data were compromised.

Access to the database has been restricted while IT experts attempt to determine the exact scope of this data breach and for how long cybercriminals had access. So far, there’s no word on who might be responsible for the attack. The other unknown? Why universities keep popping up in the news for IT breaches.

Familiar Qualities?

Retail stores and health care agencies are both popular targets for cyberattacks because they deal with a high volume of sensitive consumer information, often with payment details attached. Post-secondary schools share some of these qualities, since students are required to provide a large amount of personal information and financial assurances to guarantee their enrollment. However, in comparison to the 70 million credit cards compromised in last year’s Target attack, the 300,000 students and faculty targeted at North Dakota University or the University of Maryland last year seem like just a drop in the bucket. With malicious actors now able to crack some of the world’s most complex and secure systems, why would they target universities?

There are two reasons. First, post-secondary IT security can sometimes be spotty. Several recent data breaches were successful because information wasn’t properly encrypted or network access policies simply weren’t up to snuff. The second reason is usability — students are typically slow to replace stolen cards or track credit ratings, and universities often wait months before disclosing the nature and scope of a breach. This leaves malicious actors with a significant amount of time to commit fraud without being detected and then move on to their next target.

The big lesson here for the University of Chicago and other post-secondary schools is that holding a large amount of student and employee records — both current and former — puts them on the same playing field as enterprises. Therefore, IT security must be tailored to match the value of assets, not assumptions.

Image Source: Flickr

More from

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

Security roundup: Top AI stories in 2024

3 min read - 2024 has been a banner year for artificial intelligence (AI). As enterprises ramp up adoption, however, malicious actors have been exploring new ways to compromise systems with intelligent attacks.With the AI landscape rapidly evolving, it's worth looking back before moving forward. Here are our top five AI security stories for 2024.Can you hear me now? Hackers hijack audio with AIAttackers can fake entire conversations using large language models (LLMs), voice cloning and speech-to-text software. This method is relatively easy to…

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today