Cyberattacks in universities
Are universities doing enough to defend themselves from cyberattacks? Source: Shutterstock

Universities across the globe continue to be struck by a spate of cyberattacks despite high profile data breaches making headlines.

Recently, students and staff at Justus Liebig University (JLU) Giessen in Germany were asked to queue in person for a new email password after their university was subjected to a cyberattack. According to the BBC, the attack on December 8, 2019 initially took the entire university offline.

In the UK, Lancaster University was struck with a “sophisticated and malicious” cyberattack in July, resulting in breaches of student and applicant data. 

The university said undergraduate applicant data for 2019 and 2020 were accessed, including information such as their names, addresses, telephone numbers and email addresses. The “records and ID documents” of “a very small number of students” were also accessed.

In Australia, the Australian National University (ANU) said in June that attackers breached its cyber defenses in late 2018, potentially gaining access to sensitive data, including students’ bank account numbers and passport details going back 19 years, Reuters reported.

What are cybercriminals after?

Cyberattacks in universities

Cybercriminals sell data or use it for ransom. Source: Shutterstock

According to Malwarebytes Labs, schools collect and store valuable and sensitive data on their children and staff members, which are highly sought-after by threat actors. This includes data from allergies and learning disorders to grades and social security numbers. 

These individuals use it to hold schools for ransom or to sell for high profit margins on the black market. Data belonging to children typically earn a higher price. Monroe College in New York City had its computer systems hacked in July, with hackers demanding approximately US$2 million in bitcoin. 

Malwarebytes Labs said universities are prime targets of cybercriminals for numerous reasons, some of which include:

  • A lack of resources, which means efforts to boost cybersecurity takes a backseat;
  • Outdated technological infrastructure make it easily penetrable by cybercriminals; 
  • Students and staff connecting to school networks from personal devices that may be jailbroken, both on-premises and at home; 
  • Some students may hack school software out of boredom or to shut down the Internet and disrupt the school day.

Are universities doing enough to protect themselves?

Malwarebytes Labs said that from January to June 2019, adware, Trojans, and backdoors were the three most common threats for schools. Adware made up 43 percent of all education detections, 25 percent were Trojans while another three percent were backdoors.

Earlier this year, a report by HEPI and Jisc said: “Organisations that do not adequately protect themselves risk the loss or exposure of personal student and staff data and also commercial, institutional and research data that are valuable to cyber criminals operating domestically and internationally.” Jisc is a not-for-profit organisation that provides the UK’s national research and education network, Janet, to which all universities and research centres are connected. 

They expressed a lack of confidence in UK higher education providers to protect themselves from cyberattacks. 

“The security landscape has been evolving over many years and will continue to evolve as the arms race between attackers and defenders continues,” it said.

“It is imperative that those in higher education continually assess and improve their security capability and for higher education leaders to take the lead in managing cyber risk to protect students, staff and valuable research data from the growing threat of attack.”

Speaking to NBC News, experts in the area said universities faced unique challenges in cybersecurity compared to corporations, primarily because mainly they must allow people to bring their own devices.

They said an important first step is to acknowledge the threat of cyberattacks, while they can bolster efforts to protect themselves by prioritising the most sensitive information and spend their limited resources protecting it.

Liked this? Then you’ll love…

Degrees Explained: Cybersecurity

With the shortage of cybersecurity professionals, schools are rewiring their curriculum