With their stashes of student data and government-funded research, universities are some of America’s juiciest targets for hackers.
With their vast stores of personal data and expensive research, universities are prime targets for hackers looking to graduate from swiping credit card numbers.
These aren’t college kids trying to change their grades. They’re potentially “nation-state actors” much like the hackers who have targeted large corporations in the past, said Michael Oppenheim, intelligence operations manager at Internet security firm FireEye.
“For a university that’s understaffed and under-resourced, it can be a difficult situation for them,” Oppenheim said.
This is not a new phenomenon. From 2006 to 2013, 550 universities reported some kind of data breach, he said. This year isn’t over, but it has already seen its fair share of headline-grabbing hacks.
This year, breaches of Pennsylvania State University and the University of Virginia were blamed on Chinese hackers.
At the University of Connecticut, student Social Security numbers and credit card data were taken. Washington State University and Johns Hopkins University were also the target of attacks.
It’s a trend that is forcing schools to think harder about how they protect students and researchers from a threat that never shows its face on campus.
“As administrators in education, we know that we’re responsible for security writ large,” Nicholas Jones, provost of Pennsylvania State University, told NBC News. “And that includes information security. I don’t think I thought a year ago that I would know as much about information security as I do now.”
In 2014, 10 percent of reported security breaches involved the education sector, according to Symantec’s Internet Security Threat Report. That trails only health care (37 percent) and retail (11 percent).
Despite the frequency of attacks, many schools aren’t prepared to defend themselves. In a recent study, Tinfoil Security tested the networks of 557 state universities with a cross-site scripting (XSS) attack. Twenty-five percent of them were vulnerable.
“A quarter of state universities … that’s insane,” said Michael Borohovski, founder and CTO of Tinfoil Security. “It’s not because they don’t care. It’s probably because they don’t know it’s a problem or they’re simply not catching it in time.”
In May, Penn State revealed that hackers had breached computers in its engineering department — something that was brought to the university’s attention by the FBI.
Overall, about 18,000 students and faculty, plus around 500 research partners, were possibly affected by a breach that might have started as far back as two years ago.
“I don’t think that they were run-of-the-mill criminals after credit card information,” said Jones.