Recent years have seen a huge increase in cyberattacks against universities and colleges. According to Zscaler data, IoT malware attacks alone have risen by 961% in the industry since 2022.

Most attacks are financially motivated, with attackers aiming to steal or encrypt sensitive data (or both) and demand a ransom payment for its safe return. However, there is a historic precedent for large-scale espionage attacks against higher education institutions, including by state-sponsored threat groups in Iran and China.

Verizon’s 2023 Data Breach Investigations Report found that around 92% of attacks are financially motivated across the broader education industry, while 8% are espionage. In higher education, it’s reasonable to assume a slightly higher rate of espionage, though it should be noted that many cyber espionage attacks go unnoticed due to high levels of attacker skill and the lack of overt demands.

This article discusses why cyberattacks in higher education have become so common and looks at four recent examples of serious breaches at U.S. universities and colleges.

Why are Cyberattacks a Concern for Universities and Colleges?

The obvious answer is because they’re hugely disruptive and costly.

Between 2022-23, the average downtime for educational institutions caused by ransomware disruptions rose from 7.9 days to 11.6 days, while the average cost of a data breach in higher education remained fairly steady at $3.65 million.

But this only tells part of the story.

The fact is that higher education institutions make excellent targets for cybercriminals for a number of reasons:

1. Universities and colleges have a low tolerance for downtime, making them susceptible to paying ransom demands in an effort to “limit the damage” of a cyberattack.
2. They have large and complex attack surfaces, including many user-owned and Internet of Things (IoT) devices. This has the dual impact of being extremely challenging to secure and providing many potential entry points for cybercriminals.
3. Most have complex partner and vendor networks, placing them at high risk of third-party data breaches. Approval for adding devices to networks is often distributed by schools, departments or even individual faculty members.
4. While they often spend heavily on IT, most of this goes on improving functionality and access for faculty and students—not on securing increasingly complex IT infrastructure.

Unfortunately, cybercriminals have realized that higher education institutions present an opportunity for profit. Until that changes—most likely through a significant additional investment in cybersecurity across the industry—high-profile breaches in the industry will continue to be a common feature in the media.

4 Recent Higher Education Cyberattacks

1. University of Michigan: 230,000 Personal Records Stolen

In August 2023, the University of Michigan suffered a major data breach that resulted in the theft of sensitive, personal information relating to around 230,000 students, alumni, and employees. The stolen information included details such as individuals’ financial accounts, social security numbers, driver’s license details, and health information.

In a statement, the University described the attacker as an “unauthorized third party” that gained access to certain university systems over a period of five days in August 2023. On detecting the attack, the university took “quick and decisive action to contain the incident,” including the immediate disconnection of its campus network from the internet and obtaining the support of “leading third-party experts” to support its investigation and resolution of the breach.

“Based on data analysis, we believe that the unauthorized third party was able to access personal information relating to certain students and applicants, alumni and donors, employees and contractors, University Health Service and School of Dentistry patients and research study participants,” a spokesperson for the university said.

All told the campus network was disconnected from the internet for four days. Following the attack, the university faced two lawsuits claiming it was negligent in protecting the information it held.

2. Stanford University: Department of Public Safety Breached

The Stanford University Department of Public Safety was attacked in October 2023, with the Akira ransomware gang claiming to be in possession of 430GB of the university’s “private information and confidential documents”.

The university confirmed the attack in November, claiming it was connected to an earlier attack in which “hackers breached the Stanford University Department of Public Safety’s (SUDPS) firewall, potentially compromising their network and data.”

Since its announcement, there have been no further updates from Stanford University about what data may have been compromised. However, the University claims the attack was local to the SUDPS and had not affected any other part of the university or police response to emergency calls.

This was the university’s third breach in 2023, following a system error in February and a third-party software breach in April.

3. Mount Saint Mary College: Stolen Data Published on Dark Web

In December 2022, Mount Saint Mary College suffered a ransomware attack in which an “unauthorized third party” gained access to some systems, disabling them. The college immediately notified law enforcement, including the FBI, upon discovering the breach.

In a statement, the college claimed it had immediately “disconnected all systems and engaged third-party forensic specialists and IT specialists to assist with securing the network environment and investigating the extent of the unauthorized activity.”

In the days following the breach, the Vice Society ransomware gang claimed responsibility for the attack. The group is well known for targeting schools, colleges, and universities with ransom-style cyberattacks, including ransomware. The group delivered a ransom demand in exchange for the safe return of the stolen data, but following advice from the FBI, the college refused to pay.

In February 2023, Vice Society published stolen data on the dark web. Notably, up until this point, the college had not publicly confirmed the breach—however, once the stolen data was published, the college released its statement and offered “free credit monitoring and identity theft protection services” for affected individuals.

4. Universities of California, Los Angeles, Missouri, Rutgers, and More: Mass Theft of Personal and Sensitive Information

In May 2023, the Cl0p ransomware group took responsibility for a string of attacks against hundreds of organizations, including a host of higher education institutions. The group claims it stole data by breaching MOVEit, a software product used for file transfers. MOVEit is widely used in industries where sensitive information regularly needs to be shared because the software is known to adhere to high levels of cybersecurity maturity.

The breach was particularly significant for higher education due to the prevalence of third-party vendors—many with ties to colleges and universities—using the software. For example, the University of Missouri was caught up in the MOVEit file transfer breach through a third-party vendor used in enrollment operations.

As with many of the MOVEit attacks, a number of attacks against universities resulted in the theft of sensitive information, including that relating to individuals. Some institutions—including Stanford University’s School of Medicine and New York’s Yeshiva University—reported student and employee Social Security numbers and financial information were stolen, with some posted online.

The MOVEit attacks aren’t ransomware because they don’t involve encryption of compromised data. However, many affected institutions still received ransom demands relating to the stolen data.

Protect Your Higher Education Institution from IoT Threats

Securing a college or university campus is far from straightforward. So, while the attacks described here are concerning, they’re hardly surprising.

In reality, many cyberattacks against higher education institutions go unreported in the media, and in many more cases, universities never publicly share the extent or cause of breaches. In all likelihood, the frequency and severity of cyberattacks in higher education are even higher than the reported figures suggest.

So, what can you do?

One of the major causes of cybersecurity risk in higher education is the extremely high prevalence of connected devices—everything from connected screens, speakers, HVAC, thermostats, cameras, employee and student devices, building automation, and more.

Securing network access and managing vulnerabilities across such a diverse network environment is tough. But that’s where we come in. Asimily’s platform streamlines IoT security, making it easy to lock down traffic, monitor traffic sources, and identify unusual connections. 

Higher education institutions can use Asimily’s Risk Simulation to assess mitigation options for individual vulnerabilities and devices before implementing fixes. This can help you prioritize your efforts, identify high-risk devices, and avoid wasted effort.

Asimily understands your unique environment and provides real-time, actionable remediation steps to reduce risk and save time—making our customers 10X more efficient at resolving IoT security risk.

To find out how Asimily can help manage the security risk of connected devices at your higher education institution, download our white paper: IoT Device Security in 2024: The High Cost of Doing Nothing. To get started immediately, contact us today.