The message, emailed to thousands of students and employees at the University of Colorado’s Boulder campus last week, was alarming. Their personal information, including addresses, phone numbers, Social Security numbers, academic progress reports, and financial documents, had been stolen, and their university was refusing to cooperate with extortion demands. As a result, the data was starting to be posted on the dark web, the shadowy back channel of the internet where cybercriminals lurk.
Elsewhere around the country, students and employees at at least nine other universities were receiving similar warnings. The campuses are part of an escalating number of extortion and ransomware attacks the FBI has been tracking since March 2020, when the Covid-19 pandemic took hold in the U.S. Cybercriminals have taken advantage of the unique circumstances of the pandemic to double down on their demands.
“The rapid shift to distance learning and remote work dramatically increased the attack surface,” said Paul B. Davis, who advises higher-education institutions about cybersecurity threats for Gallagher, a global insurance broker.
He said his clients have reported a significant increase in the number and severity of cyberattacks since the pandemic began. “Many more devices were logging in remotely, and not every institution had the proper controls in place to manage access.”
Last month, the FBI issued a warning detailing how hackers infiltrate vulnerable networks using a malicious software, or malware, that encrypts data on a computer, making it unusable. Cybercriminals may threaten to destroy the data or publicly release it unless a campus, or individual, pays up.
Sometimes they do. In August, the University of Utah paid more than $450,000 to prevent sensitive information from being released on the internet. Although the FBI strongly discourages paying ransom, the March warning said it understands “that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees, and customers.”
Just Part of the Minefield
Like many institutions, the University of Colorado system takes extra precautions when transferring large files and data sets that contain personally identifiable information protected by privacy laws. But in late January, it learned that even those steps fell short when the third-party software it was using, from the global cloud provider Accellion Inc., was hacked. More than 300,000 of the university’s records were exposed, mostly at the Boulder campus but some at the Denver campus. These included student grades and transcripts, medical treatments and diagnoses, and a small number of Social Security numbers. Other universities affected by the massive attack included the University of Miami, the University of Maryland at Baltimore, Yeshiva University, Harvard Business School, the University of California at Davis and Stanford University‘s medical school.
Colorado immediately shut down its file-transfer service and switched to a different tool. The university offered free credit and identity monitoring and fraud consultation while it took a deep dive into the data breach. (Accellion released a statement in March that said it had closed “all known” vulnerabilities and no new ones had been found.)
Acting on the advice of the FBI, the university refused to give in to the demand for $17 million. “There is no guarantee that the cybercriminals will honor promises to not post information,” the university said in a statement. “Nor is there assurance that they won’t try further extortion.”
Cyber threats are, unfortunately, just part of the minefield universities are walking through today, said Ken McConnellogue, a Colorado spokesman.
“This is as serious an attack as we’ve had, which affected a huge swath of our university community,” he said. Researchers worry about intellectual data being compromised, students about grades and Social Security numbers. Even though the software that was hacked belonged to a third party, “people expect us to be as responsible as we can be with their data.” The university has accelerated efforts to tighten safeguards, as well as to “bring cyber awareness to the fore.”
The fact that fewer than 20 Social Security numbers were included in the trove of data the hackers accessed is due to the university system’s decision years ago to ask for student and employee IDs rather than Social Security numbers on forms that require personal identification, according to McConnellogue.
Since 2005, school districts and colleges have suffered more than 1,300 data breaches, affecting more than 24.5 million records, a 2020 report from the website Comparitec found. Colleges accounted for three-quarters of the educational breaches, with California and New York the biggest hot spots.
At colleges, 43 percent of the intrusions were traced to cybercriminals hacking their way in, while another 27 percent of the breaches happened when institutions accidentally leaked information out. That could happen if someone mistakenly attaches personally identifiable student data to an email. Lost or stolen laptops and other portable devices accounted for another 15 percent.
The problems have only intensified over the last year. “One of the things the pandemic has done is made it much easier for hackers to launch phishing attacks,” said Frank Quinn, who heads the breach-response team in the United States for Beazley, a cyber insurer. These emails purport to be from reputable companies to prompt people to reveal personal information like passwords and credit-card numbers.
Cybercriminals have exploited people’s health and financial worries by emailing authentic-looking messages touting vaccine availability or steps for accessing Covid-related assistance. “They hit emotional triggers that can be compelling hooks,” Quinn said. People who have been trained to scrupulously avoid clicking on links from unknown sources aren’t always as careful when scrolling through emails on their cellphones, he added.
Insurance rates for cybersecurity protection have skyrocketed between 30 and 65 percent for his clients since the pandemic began, Davis said. And in order to get insurance now, colleges may have to show that they’ve taken more precautions, such as requiring two-factor authentication and educating all users about how to avoid phishing attacks.
In some cases, the insurer will connect the campus with a ransom negotiator, Quinn said. Some hackers “are highly skilled and strangely customer-service focused, so you might get a good outcome if you’re forced to pay,” he said. Others, the bumbling amateurs, “may be using software they don’t really understand well.” If there’s a problem with the decryption process, they may not be able to hold up their end of the bargain even if a college pays up.
Experts offer a range of tips to help campuses stay one step ahead of hackers:
- Make sure remote access to the network is tightly secured. Scammers are constantly scanning the web, ready to pounce when doors are open, even for a moment. Virtual private networks are one way to keep intruders out.
- Follow a 3-2-1 backup strategy of having three copies of data on two different media, with one copy offsite for disaster recovery. Practice recovering data so it can be done quickly.
- Use multifactor authentication, which requires at least two forms of identification to sign in, when possible. Don’t just rely on a username and password
- Reduce the number of people who have elevated security clearance to access sensitive sites.
- Train students and employees to avoid clicking on phishing emails.
A Treasure Trove of Data
Last month, as students were heading into finals, the University of Texas at El Paso’s network suddenly went down. A post on Facebook informed students and employees of “an unauthorized and potentially malicious intrusion” into the on-campus network. “Following our standard procedures, we immediately turned off all of our campus systems and have been working throughout the weekend to test and bring each system back online after checking it thoroughly,” it said.
As students were knocked offline, dozens of panicked messages began popping up on social media. Tomorrow was the deadline for a final exam. A research paper was due and a student couldn’t access the library or reach a professor. Would professors delay their exams or give them extensions? Bills were due and the online payment center was down. Would late fees be waived?
University staff members scrambled to answer questions while systems were methodically tested and restored.
In a recent update, the university’s president, Heather Wilson, reassured everyone that there was no indication that personally identifiable data had been compromised. Although more updates are expected, “we may never know exactly where the intrusion occurred or how it happened,” she wrote. “Every month, like other institutions of our size and scope, our Information Resources team successfully mitigates a very large number of software vulnerabilities and fends off about 20,000 external security threats to our network. We are continuing to take steps to enhance the security of our systems in the face of evolving cybersecurity threats.” The next step will be to prepare for new cybersecurity requirements the federal government is imposing on research universities to strengthen and document data-protection procedures, Wilson added.
Also in Texas, Prairie View A&M University suffered a major cyberattack in February that immobilized all major networks, forcing the university to cancel classes and shut down online classes.
The amount of sensitive data that colleges, and the companies they work with, collect has only increased over the past year. Health data is carefully tracked, and crowd density deciphered through video surveillance and wall-mounted sensors. Remote proctors scan students’ faces and gestures for signs of cheating. It all adds up to a treasure trove of data that some cybercriminals might consider ripe for picking.