Higher Education Cyber Attacks History

June 15, 2018

Speaking about educational organizations, comprehensible statistics of data breaches that were made public date back to 2002 that is the point for the statistics based on Higher Education cyber attacks in the United States (e.g., fraudulent actions, hacking, using malware or unauthorized access and other types of attacks performed by cybercriminals) and the overview of the history of incidents.

Although critical data losses may be caused by users’ inadvertence, the cases that were a result of malefactors’ activity are highlighted.

2002-2003 First Higher Education cyber attacks

Higher Education cyber attacks are actually not something new. One of the first attack in this sector that we managed to find dates back to 2002 and is an example of an espionage case. Malefactors from Princeton University hacked into Yale’s system to get the information on the admission decisions.

In 2003, there was also a couple of attacks that were said to target personal information of the students and staff members – and in the future, this trend will become a leading feature of the attacks in this field.

2004 New law introduction

2004 became an important year for the history of cyber security of educational organizations as the State of California releases the very first ‘Data Breach Notification’ law. Since then, every organization in California experiencing a security incident had to report any breach officially. That year, the universities of California totally reported 3 breaches that amounted to some 2,000,000 records being stolen.

2005 – 2006 Middle noughties Higher Education cyber attacks, personal data

June 2005 became infamous due to the security incident that took place in the University of Hawaii. A former librarian, instead of catching marvelous blue waves and peacefully enjoying himself, stole personal data of about 150,000 students, staff and library patrons. The malefactor compromised the data in order to obtain fraudulent loans.

Accessing databases of libraries to get critical data happened not only once that year, and the University of Utah had around 100,000 names and Social Security numbers of former employees stolen from library archival databases.

The next year brought much bigger losses resulted from Higher Education cyber attacks. About 800,000 records were stolen from a University of California at Los Angeles (UCLA) database. The leaked personal information on students, faculty and staff, parents and student applicants, including those who did not attend, contained names, SSNs, birth dates, home addresses, and contact information. It was also mentioned that 3,200 of the affected are current or former staff and faculty of UC Merced and UC’s Oakland head departments.

In most cases, Higher Education cyber attacks that happened in 2005-2006 were focused on personal information thefts, such as SSN and other data.

2007 First cyber attack on Campus Solutions system (PeopleSoft incident)

In the sphere of education, as well as in other spheres, various business applications serve to simplify business processes supervision. For instance, ERP-type systems are common in the field of Manufacturing and SIS (student information systems) are widely spread in the educational sphere. What is more, every industry has its typical systems, such as HR and CRM. These are business applications that store and process the most critical data. Consequently, no wonder that malefactors are likely to pay attention to them at some point.

2007 was noteworthy as one of the attacks on PeopleSoft systems gained super popularity in media. In August 2007, aiming to modify grades, Christopher Jacquette, 29, from Florida, together with Lawrence Secrease and Marcus Barrington, used keylogging software on university computers to get the passwords necessary for logging into the PeopleSoft system at Florida A&M University. University staff members learned about the incident quite soon as the audit revealed the foreign software, so the altered grades were identified. The university might have been done with that, however, the hacking attempt of the trio repeated once again. This time, Jaquette also accepted US$1200 from two students for changing their residency status to ‘in-state’. The staff quickly disclosed the incident and finally Jacquette was sentenced to 22 months imprisonment and three years of supervised release. Overall, the data of 90 students was modified by about 650 grade-changes.

However, this year became infamous also due to several other Higher Education cyber attacks where hackers stole critical data. In an attack on the system of the University of North Carolina, a hacker accessed the personal data of 236,000 women that was used in a Chapel Hill research study. Social Security numbers of 163,000 participants were among the compromised records. The records formed part of the Carolina Mammography Registry, a project that compiled and analyzed mammography data. The incident was discovered only two years later, in 2009. The researcher was accused of acting negligently, but the attorney claimed there was no evidence of violating or ignoring rules in using the data. Finally, the researcher agreed to retire at the end of 2011 and was given the full rank and salary until that time.

2008-2011 SSN cyber attacks strikes back to Higher Education

In 2008, hackers proceeded with stealing data with renewed vigor. While the target remained almost the same, hackers shifted their focus on stealing personal data, and the maximum size of data breach rose from 70,000 records to 700,000 records.

A malefactor compromised the system of Antioch University three times and got access to about 70,000 records in 2008. The stolen data contained names, Social Security numbers, academic records and payroll documents for current and former students, applicants and employees. Approximately the same number of records leaked in a breach at Oklahoma State University. The compromised computer server stored names, addresses and Social Security numbers of students and staff.

In 2009, Eastern Washington University informed 130,000 current and former students that their names, Social Security numbers and dates of birth were presumably compromised in a breach. The incident is notable due to the fact that the compromised records date back even to 1987, so that the notification process took up to two weeks. IT-staff of the university also noticed that the malefactor installed software to store video files on the system.

Ohio State University officials disclosed a data leakage in October 2010. Unauthorized individuals stole some 760,000 names, Social Security numbers, dates of birth and addresses of current and former students, faculty, staff members, and university contractors. Later on, it was specified that 517,729 former students and 65,663 current students’ records were compromised. Exact numbers of other affected were not given. Ohio State University took about a month in 2010 to disclose that some 760,000 people had their data exposed and were at risk of identity theft.

While the vast majority of attacks target personal and financial data of students and employees, that is not an inviolable truth for all the cases. In May 2011, University of Wisconsin experiences a virus that was installed on a University server and housed a software system for managing confidential information. Critical data of 75,000 students, faculty and staff was exposed. Despite the data leakage, experts presumed that the attack was originally aiming to get access to the projects run by the university. “Talking to the forensic experts, we don’t believe the motive was identity theft,” commented Tom Luljak, UWM’s vice chancellor for university relations.

2012 PeopleSoft making appearance in press again, now stealing bank accounts

2012 was the year of another well-known attack on a business application, and again it was a PeopleSoft system. A student at the University of Nebraska accessed a database by compromising university’s PeopleSoft system. This led to the leakage of not only Social Security numbers and other sensitive data on about 654,000 students and employees but also bank account details of some 21,000 people were exposed. The compromised database also included the information on alumni that dated back to the spring of 1985. Later that year, the University of Nebraska created a webpage containing the information on the incident. The data from Chadron State, Peru State, and Wayne State colleges was also said to be exposed as the Nebraska college system started using NeSIS, shared student information system, in 2009. The hacker was finally found and turned out to be a former UNL student. He pleaded guilty to one count of intentionally damaging a protected computer. The damage was estimated at $5,000.

Another incident took place a year later and it became the third major attack on the PeopleSoft system that took place in March 2013. Salem State University in Massachusetts notified 25,000 students and employees about the probable compromise of their Social Security Numbers.

2013 Higher Education Cyber attacks size record is set

Higher education cyberattacks rarely put at risk large amounts of personal data in comparison with other fields of human activity. However, in the April 2013 security breach, the personal data of 2.4 million current and former students and employees of the Maricopa County Community College District was compromised. Soon after the breach, FBI notified the district about the data found on a website offering the stolen records for sale.

2014-2016 Hackers became smarter, Higher Education cyber attacks are more specific

This year was no exception when talking about espionage attacks on universities. Breaches exposed data amounting to several hundreds of records and methods became more sophisticated and aggressive. Among them, the following ones can be mentioned.

At the beginning of 2014, the University of Maryland suffered a data breach that exposed records of 309,079 people dating back to 1998. The president of the university community Wallace D. Loh noted that the main question was how the attacker managed to bypass the sophisticated, multi-layered security defenses. The authorities of the university commented that the attackers must have had a good comprehension of the hacked system’s structure, the level of encryption and the database protection. Brian Voss, vice president and chief information officer at the University of Maryland, noted that the incident did not resemble typical attacks in which someone left the door open giving a malefactor an opportunity to get the access to the system. As Voss commented, hackers picked through several locks to get to this data.

Another side of technique sophistication was reflected in the attention of attackers to financial systems that were considered another soft spot. The case of University California Berkeley illustrates that detecting a vulnerability is not always enough as sometimes it can be already too late. As soon as a loophole in Berkeley Financial System was detected in November 2015, the campus started the security fix implementation. The BFS is a software application the campus uses for financial management, including purchasing and the majority of non-salary payments. Still, since the patch installation on the system took about two weeks, the hackers had enough time to discover a security flaw and use it to access the system. University officials informed around 80,000 people about an incident. The attack could poetically cause huge losses as BFS contained the data of some 50 percent of current students and 65 percent of employees.

Sometimes, the malefactors do not try to hide and disclose the attack themselves. Metropolitan State University learned about a breach on servers of the university from the blog post where someone had bragged about hacking into the website. The attacker seemed to be an Australian teenager claiming to have attacked Metro State’s website as well as about 75 others. The authorities made a decision to switch the website to another server in order to prevent further attacks.

The notable feature of this time period is a sharp increase in attacks number. According to the statistic provided by Verizon’s annual Data Breach Investigations Report, the frequency of security breaches affecting universities multiplied almost ten times.

2017 Last year’s Higher Education cyber attacks lessons: sabotage

Data breaches on university still happened in 2017 and to the total number of attacks grew to 393 (as you remember it was only 5 attacks in 2012) but apart from typical attacks targeting SSN, at this point, DoS attacks started to gather pace.

So, the next attack that we would like to mention doesn’t look typical in comparison to the listed above, still, it deserves your attention. One of the most unusual sabotage attacks was performed on the American university’s network. As the result of a cyber-attack, some 5,000 internet-connected objects, including vending machines and even lampposts, started to search for seafood. The situation caused almost the total internet connection service interruption over the university. The malefactor applied some Internet of Things malware that was designed to guess the default password of all the devices that had Internet connection.

Another sabotage incident is associated with Butler Community College that claimed to fall victim of a DDoS attack. As the result of a distributed denial-of-service attack, the system was overloaded with data that caused temporal service interruption.

2018 More than a data breach, cyber espionage campaign on Higher Education

Although 2018 is not over yet, we can already mention some Higher Education cyber attacks that took place in the first half of the year and deserve your attention.

In March 2018, nine Iranian hackers were indicted over a giant attack on over 300 universities worldwide. 144 US universities were affected, attackers also targeted 176 educational institutions in other 21 countries, including Canada, the UK, Germany, Israel and Japan. More than 100,000 professors’ email accounts were targeted and about 8,000 of them were finally compromised. According to the official information, 31 terabytes of “valuable intellectual property and data” was exposed. According to the DOJ, says the incident should be associated with a Tehran-based hacker clearinghouse – the Mabna Institute that was formed in 2013 and had ties to Islamic Revolutionary Guard Corps. Geoffrey S. Berman, U.S. attorney for the Southern District of New York characterized the case as one of the largest state-sponsored hacking campaigns ever not only in Higher Education but in general so we see that Higher EductionaCybergaatcks grew sing 2005 from few incidents to hundreds per year including such large ones as this one.

Final thoughts on Higher Education Cyber attacks

Now, as you have learned about the most notable attacks of the last 13 years, you probably see that cyber risks in the sphere of education are not just real but constantly growing and may lead to unpredictable consequences. While the cases do not describe the whole range of soft spots that attackers may use in the future, this list offers us a possibility to make some clear conclusions on the security landscape of the sphere we are interested in.

  • In comparison with losses that take place in other industries, amounts of stolen data in the field of education are not so tremendous and rarely reach one million. This is probably the only delightful conclusion on the specifics of the data breaches in this area.
  • While the number of compromised accounts is relatively low, the main type of stolen data is presented by personal data, Social Security numbers and bank account details, which makes such attacks potentially very dangerous. For instance, possessing Social Security numbers gives attackers a possibility open up new credit cards or file someone’s taxes and collect their refund. And the main difficulty that takes place there is that in comparison with having a credit card number exposed, an affected individual cannot just notify their bank and have the account closed.
  • Universities often store massive archives of data of decades ago that includes records of not only current, but also former students and employees.
  • The number of attacks on universities is growing much faster than in other spheres and it is expected to grow even more in the future as the security of educational sector is much poorer than in other spheres, such as banking or retail. Critical data that hackers can find here is the same as in other sectors, so why hack more protected companies if there are low hanging fruits.
  • And, finally, attacks on Business Applications such as HR, Financial and Campus Solutions based on PeopleSoft or other systems are growing as those systems store the most critical data, and not only hackers can attack them, but also insiders, such as students aiming to change their grades etc.

You cannot change the past, but Higher Education cyber attacks show the mistakes that were made and provide a perfect base for strengthening your security in the future.

Contact us

*Average response time is 6 hours