Alert! The Australian Education Sector is under Attack
The recent Australian Cyber Security Centre (ACSC) threat report has revealed that approximately one-quarter of reported cyber security incidents during the 2020-21 financial year affected critical infrastructure organisations and essential services such as education.
Through this period, the ACSC received over 67,500 cybercrime reports. The education sector was identified as one of the top five sectors accounting for approximately 6.2% of incidents. This equates to around one cyber attack in the education sector every two hours.
As a parent of three kids, this was worrying and triggered me to write this blog post to highlight some of the threats facing the education industry, why they are dangerous and what makes that industry an appealing target to cyber criminals.
In a recent Australian University data breach incident, the names, email addresses and phone numbers of around 5,200 university staff, 100 students and some externals were made available on the internet. The information was captured from an event registration system. Such information can then be purchased by marketing firms or companies that specialise in spam campaigns. Buyers can also use stolen emails in phishing and other social engineering attacks and distribute malware.
All educational institutions possess sensitive data about their students. The information includes full names, addresses, birthdates, contact numbers, email addresses, tax file numbers, driver’s license information, passport information, disability information, among other personal information. In the case of schools, they collect similar information about the parents!
Educational institutions’ personal data is of great value to cyber criminals, who won’t hesitate to sell it for profit. The buyer can apply for loans or credit cards under the victim’s name and file fraudulent tax returns. This has enormous implications for the educational institution, not only for their reputation but also the legal implications and costs associated with supporting the individuals impacted. For example, the University of California (UC) offered credit monitoring to individuals affected by a similar recent data breach and also conducted workshops designed to help individuals protect themselves against possible identity theft.
Educational institutions are a gold mine for cybercriminals looking to get the most bang for their buck. This is because of their intellectual property, advanced research and technology innovations which are all high-value information.
Stolen information can be sold to governments and companies. Mabna Institute, an Iranian threat actor, recognised the value of educational institutions’ information and targeted at least 380 universities from over 30 countries between 2013 and 2017 and stole 31 terabytes of data worth AU$4.6 billion. Of the universities targeted, 20 were Australian.
Another example is the Red Apollo group which specifically targets intellectual property from educational institutions and is predicted to expand operations into the education sector in the jurisdictions of nations allied with the United States.
Another example that stands out is the NetWalker group that attacked many universities in the US, including the University of California, which paid US$1.14 million in ransom (Tidy 2020) and the University of Utah, which paid US$457,059 (Cimpanu 2020).
The threat to Australian universities is significant, considering the quality and quantity of research performed and the cyber criminals interest in the education sector and Australian businesses.
Complex Infrastructure to Manage
The education sector has embraced technology to create new digital learning environments. The new environments seamlessly integrate technology into spaces designed around teaching and learning, giving instructors and students the tools they need to succeed in a setting that promotes collaboration and supports multiple learning styles.
This increased the number of IT systems used and created complex infrastructure to manage while creating more opportunities to compromise systems.
Furthermore, many education institutions offer online learning to international students, opening their network to more risks. And those who did not want to take that path were forced to do so as early as March 2020 when the COVID-19 pandemic hit and all education institutions had to embrace online learning.
Last but not least, the bring your own device (BYOD) trend has made its way from offices into educational institutions. Classrooms are filled with students attached to their own smartphones and tablets, and teachers and administrators use their own personal phones and computers for teaching tools, lesson planning and communication with students and parents.
The complex infrastructure and IT systems, the challenges of remote learning and the personally-owned devices inside and outside the classroom create cyber security challenges for the educational institutions IT departments.
Fraud and Abuse
In April 2021, the Tertiary Education Quality and Standards Agency (TEQSA) alerted all Australian higher education institutions that it has been made aware that multiple Australian higher education websites on the ‘edu.au’ domain appear to have been compromised. One type of malicious code included fake scholarship essay contests inserted into the higher education institutions websites, designed to harvest original student work that the hacker then sells on the dark web.
Such a breach presents a risk to student interests and the reputation of education institutions. As a result, there is a need to protect all digital assets in addition to the infrastructure.
Another threat is credential theft, whether it happens through malware or phishing; many attackers steal university academic credentials to gain free access to information, download a large number of articles and then sell them on the dark web. This puts an additional burden on educational institutions that provide these accounts to safeguard them and their resources from abuse.
The education sector is exposed to complex challenges protecting their data confidentiality, service availability and academic integrity against cyber attacks. Educational institutions are recommended to implement the Essential Eight mitigation strategies from the ACSC as a baseline to mitigate cyber security incidents.
In addition, Skillfield highly recommends building a mature cyber incident detection and response capability to understand the threats and determine how to better detect and prevent adversaries from compromising systems.