A Recap of Recent Cybersecurity Incidents at Universities

Originally published by Schellman.

When considering cybersecurity, many may first think of cutting-edge tech companies. Healthcare providers may spring to mind for others and government agencies for still others. But strong cybersecurity—if it’s not already—is becoming paramount in every sector, and if the recent attacks tell us anything, it’s now paramount for universities as well.

Stories out of the University of Minnesota and Indiana University—among others—have demonstrated that cybercriminals have set their sights on institutions of higher education, which means that schools need to be on high alert.

They also need to know what they’re up against. To help you get up to speed, we’re going to detail five big ones so that other schools can understand the breadth of the threats being aimed at schools and can begin to make preparations to avoid similar issues.

Education may not be the first sector anyone thinks of when considering cybersecurity, but those operating within it should certainly have cybersecurity on their minds.

5 Cyber Attacks on Universities You Need to Know About

1. University of Minnesota – Database Hack

Though the school only realized in July 2023 that the 2021 breach had occurred, they confirmed a criminal incursion into a database that contained financial aid applications, which are comprised of a slew of personal information, including:

• Full names
• Contact information such as addresses and telephone numbers
• Social Security numbers
• Driver's license and passport information

Such data that was compromised dated back to 1989 of prospective students, students that did attend the school, and staff. UM’s operations were never impacted, nor was their access to their data ever restricted, which likely contributed to the attack flying under the radar for such a long time as the school didn’t realize what had happened until they learned the hacker was posting the stolen sensitive data online (in 2023).

2. Indiana University – Unprotected Third-Party Assets

Every year, across hundreds of higher-learning institutions across the U.S. (and Canada), thousands of students—including transfers—take the Beginning College Student Engagement Survey (BCSSE) and share information about their prior academic and co-curricular experience, as well as their expectations for the coming year.

As part of this survey, students provide their full names and student card numbers, as well as other personal information like their sexual orientation, race, and ethnicity. The BCSSE is intended to remain mostly confidential, but outside researchers found that Indiana University stored this data on two unprotected Azure Storage blogs that contained over 1.3 million exposed files.

That was in May 2023—in July 2023, cybercriminals posted an IU database and almost 250k records, including names and email addresses, to a forum for stolen data (though the university maintains that information was already in the public domain).

3. University of Georgia – Third-Party Software Vulnerability

In September 2023, the University of Georgia confirmed that cybercriminals gained access to data stored in the MOVEit Secure File Transfer and Automation software that UGA was using to store and transfer sensitive data.

Progress Software—MOVEit’s creator—identified a defect in their program that may have exposed data. Though it remains unclear when the hack occurred, an unauthorized party indeed accessed university data that included, among other personally identifiable information:

• Student names, as well as faculty members’ names
• Contact information such as addresses, phone numbers, and email addresses
• Social Security numbers
• Staff salary and benefit information

The breach at UGA was part of a larger one affecting the University System: according to other reporting, other related victims of the same criminals—which are thought to be the Russia-linked gang Cl0p—include Johns Hopkins University, Washington State University (WSU), and Colorado State University, among others, as well as some U.S. banks, international companies, and several state governments.

4. Lincoln College – Ransomware

A historically Black university located in rural central Illinois, Lincoln College—a small school of about 600 students—became the first American college to shutter its doors due to a ransomware attack on the school in 2021 after 157 years in operation.

Already struggling due to the COVID-19 pandemic, the school became “a victim of a cyberattack in December 2021 that thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrollment projections," according to an announcement posted to the school’s website.

Though no personal identifying information was ever exposed, the systems impacted by the breach included those required for recruitment, retention, and fundraising efforts, which were inoperable for three months until March 2022. Though the school never disclosed the attackers or what they asked for, some news reports say that the ransom attack is thought to have originated from Iran and the demand was less than $100,000 (which was paid).

The school would close in May 2022—it did not survive ransomware, despite having endured “many [other] difficult and challenging times – the economic crisis of 1887, a major campus fire in 1912, the Spanish flu of 1918, the Great Depression, World War II, the 2008 global financial crisis, and more.”

5. University of Pisa – Ransomware

Cybersecurity attacks on universities aren’t limited to the United States. In June 2022, the University of Pisa fell victim to the BlackCat ransomware group which seized the university’s IT system before seeking a ransom of a whopping $4.5 million, making it one of the bigger ransoms demanded in 2022.

Though we still don’t know if the school was forced to pay the hackers their demands, at the very least, we do know that BlackCat, in its ransomware, uses a modern programming language (Rust) adept at evading detection, which no doubt allows them to deal more damage. Regardless of whether or not the university paid, the attacker’s demand still ranked among the biggest ransomware amounts of 2022.

Consequences for Poor Cybersecurity in Universities

All this to say, universities and colleges, especially those with research labs, have become frequent targets for hackers—particularly those peddling ransomware—no doubt due to the sector’s overall lack of investment in cybersecurity, which is now, unfortunately, being brought to harsh light.

What’s worse is that the consequences can be devastating. Like Lincoln College, many schools don’t have major funds to pay their ransomware attackers, but the impact of cyber incidents at universities can go beyond the financial:

• Operational Disruptions: Depending on the sophistication and what is compromised, attacks may even force an institution to shut down for days.
• Academic Interruptions: If systems are compromised, examinations and admissions processes may need to be postponed, and classes may need to be canceled, stalling the student learning process.
• Exposure of Personal Data: If the personal data of students or staff is compromised, that leaves them vulnerable to identity theft, among other issues.
• Reputational Damage: Though universities have worked hard to stay tight-lipped about the details of attacks, cyber incidents garner negative media attention which erodes the trust of current and prospective students, their parents, and staff.

Cybersecurity in Every Sector

As you’ve just learned, cybercriminals are creative and have already targeted a wide variety of schools, and to avoid the similar negative fallout suffered by the universities mentioned, other institutions must take steps to better protect themselves, especially as the threat landscape continues to evolve and attacks grow more sophisticated.