The vast majority of news stories on data breaches and cyberattacks worldwide often come from the healthcare, financial services, and retail industries. However, according to new research, institutions in the education industry are not immune from cyberattacks, either.
The education vertical fell victim to more data breaches than either the government or banking sectors in the last decade. From 2006 to 2013, 550 universities reported some type of data breach. If records from institutes of education are breached, there is a nearly 80 percent chance personally identifiable information (PII) will be stolen. Of education-related breaches involving PII loss, 1.35 million identities were exposed in 2014 alone.
Primary and secondary schools alike are falling victim to cyberattacks throughout the United States:
- Fifteen thousand students at Sachem School District in Long Island, NY, had personal data – including school ID numbers and names of those receiving free or reduced lunches – posted to an online forum.
- A charter school in Jersey City, NJ, obtained names, addresses, phone numbers, dates of birth, and possibly social security numbers of students attending traditional public schools in order to mail them registration forms.
- Ten thousand employees at Prince George County’s public schools in Maryland had data, including social security numbers, compromised during an attack.
- Penn State University sustained two cyberattacks in its Engineering and Liberal Arts colleges. The attack on the College of Engineering resulted disabled its network for three days.
- Two University of Virginia officers whose work was connected to China fell victim to a targeted cyberattack.
- The latest cyberattack to afflict the University of Connecticut led to the loss of an unknown number of social security number and credit card data.
Despite all of these attacks, many schools are still unprotected. After networks of 557 state universities were recently tested with a cross-site scripting attack, 25 percent of them were found to be vulnerable to data breaches.
The education sector is a high-profile target because it:
- retains hundreds of thousands – if not millions – of personal records with enough PII to create credit files;
- stores – or has access to – valuable research and intellectual property; and
- possesses a desired platform to attack others through its legacy IT infrastructure woefully prone to cyberattacks.
Schools, universities in particular, are pioneers of the modern internet with legacy systems and approaches to security. They are also the birthplace of Bring Your Own Device and generally operate in highly decentralized IT environments. The transient nature of school populations can make tracking down the source of malicious software difficult. There are limited options for software for services such as student registration. The education sector isn’t exactly one that makes rapid adjustments to change, either.
Schools and universities also don’t have a regulatory body monitoring and advising on cybersecurity. The Federal Trade Commission goes after bad actors that violate customers’ privacy, but it is limited to pursuing corporations. The U.S. Department of Education does not even track school cyberattacks.
Due to this lack of oversight, many schools feel they are going it alone. When a school district in New Jersey had its computer system held for a ransom exceeding $100,000, making it impossible for children at four of its elementary schools to take their online statewide tests as scheduled, it rebuilt its entire computer system from scratch. The process, which took approximately two weeks, locked teachers, administrators and students out of using their computers. A group of workers from an educational nonprofit group based in New Jersey helped the district reconstruct its system.
While the nonprofit group didn’t charge the school district for this service, the disruption to education is despicable. Other school districts, many of which are in a tough fiscal environment, may not be as lucky. Fortunately, we can help. US Cyber Shield instantly detects and neutralizes cyberthreats before they reach your network. Our expert team of intelligence agents – combined with distributed denial of service protection, next-generation firewalls, advanced malware, intrusion protection and detection, and data loss prevention technology – will secure your company from threats without expensive purchases of brand-new IT infrastructure.
Written by Rob LaMear, CEO, US Cyber Vault
Once a month we share where we will be speaking in the world as well as expert opinions on cyber security, data loss prevention, and information security that we like from the larger community. Receive our next issue by signing up here.