Cybersecurity and Universities
Colleges and universities continue to be targeted based on the treasure of data stored in their system. This includes the students, faculty, and administrative staff’s names, addresses, email addresses, social security numbers, and many more data points per person, which are readily marketable on the dark web. While this is required for the university operations, this also has the tendency to bring unwanted attention from attackers, seeking their data. One such university is the University of Alaska.
Breach
In the recent past, there have been many different attacks used against colleges and universities. In this case, the simplistic email phishing attack was successfully used. This was noticed by the staff when a portion of the users noticed their passwords had changed and there had been unauthorized access. The attackers were able to gain their unauthorized access to names and social security numbers for the students, staff, and faculty. The attack itself took place in December 2016. As with most average or better phishing attacks, the email did appear to be legitimate. The attackers were able to gain access to many accounts though to be secure. These accounts had student and employee information within each. The university was not completely sure if any person’s information was accessed. The university also stated they found no evidence of the emails with sensitive information being directly accessed.
Notification
The affected parties were significant in number for the University. There were approximately 25,000 students, staff, and faculty members’ data involved with this. The University sent letters to notify the affected students, staff, and faculty at the end of April.
Mitigations
On or about March 28, 2018 the review indicated the unauthorized party had accessed the account from January 31, 2018 to February 15, 2018. Once this was detected, the access was terminated and the system locked down. The breach was analyzed and reviewed. The affected persons receiving the notification letter may enroll in the free Identification Theft Loss Reimbursement Insurance Program. The policy insures up to $1M of losses. The persons though, in the case of a loss, are required to prove the loss was due to the breach. This does not sound too difficult. To prove and document this is very difficult given the circumstances. How would one document where exactly the attacker secured the data from? What if there is a loss and the fraudulent acting person cannot be found? To remove the potential for this to occur again, the University was training the staff to be more aware of phishing attacks, better methods to handle and store sensitive and confidential data.
Questions and Lessons Learned
The breach occurred in December 2016. The affected parties were not notified for five months. This gave the attackers five months of time to sell and otherwise work with the data without any interruption. This should have been addressed earlier so the affected persons would have the opportunity to minimize the potential negative effects.
Resources
Associated Press. (2019, April 29). University of alaska seeking people affected by data breach. Retrieved from https://www.usnews.com/news/best-statesalaska/articles/2019-04-29/university-of-alaska-seeking-people-affected-by-data-breach
Dissent. (2019, April 27). University of alaska discovered a breach in february, 2018 that they are revealing now? Retrieved from https://www.databreaches.net/university-of-alaska-notice-of-data-breach/
E-Hacking News. (2019, April 29). Data breach at university of alaska exposes personal information of students online. Retrieved from https://www.ehackingnews.com/2019/09/data-breach-at-university-of-alaska.html
Polk, L. (2019, May 31). University of alaska: Thousands affected by data breach, including names, social security numbers. Retrieved from https://www.ktuu.com/content/news/University-of-Alaska-thousands-affected-by-data-breach-including-social-security-information-425538543.html
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.