University Data Breaches Pose Threat to Students, Academic Openness

Rick Dakin, CEO, Co-founder and Chief Security Strategist

North Dakota State University administrators confirmed last week that hackers never accessed the personal information of more than 200,000 students, faculty and staff housed on the server they successfully infiltrated.

This attack perfectly suits the modern hacker’s MO. They attack open systems wherever they can find them. Just like predators on the African plains, they ignore the strong and well-protected, instead going after the weak and the old. Once one system is compromised, hackers can use it to vector into others, as they did in the recent breach at Target.

Universities are frequently soft targets. They are inherently decentralized, complex and intentionally open. Their IT departments must balance security with a need for openness and academic freedom. Many public universities have also been facing significant budget constraints, which limits the technology and security investments they can make.

When hackers do target universities, financial motivations may not be the prime consideration. An information security officer at one of the universities Coalfire works with has been alarmed by the number of incidents originating from overseas. Since many faculty members work collaboratively as staff at classified research organizations, the general feeling is that the universities are being targeted as part of a broader attack regarding researchers working with national security secrets.

Of course, sometimes colleges are themselves the target, because they do possess a treasure trove of information assets. Beyond payment data and student records, schools manage a significant amount of other sensitive information, including employee records and patient health information.

For parents, one of the scariest aspects of the NDSU attack is that the compromised server included information from 1,300 applicants. High school seniors often apply to six or more schools, meaning their personal information is being stored at colleges they may not even visit, let alone attend.

University officials need to understand the scope of the risks they face. A well-tended firewall is no longer enough. Many recent breaches have been executed with sophisticated, zero-day malware exploits that were undetectable by antivirus solutions. If hackers beat one control, they need to be caught them with the next – or the one after that.

This is also why the current debate over “smart” chip-and-pin credit cards doesn’t go far enough. This technology will help retail locations – which includes on-campus sandwich shops or bookstores – significantly reduce fraud stemming from counterfeit plastic, but that’s really just one layer of protection covering one aspect of potential loss.

All good security programs are based on the principle of “defense in depth.” University security administrators need to improve their monitoring programs and do comprehensive risk assessments that give them an understanding of their information assets. The good news is that more universities now recognize the threat they’re facing and are devoting significant resources towards security, compliance and enforcement. The bad news is that the breaches keep happening and security is a constant process, not an end state.

Given the scale of recent breaches and the impact of the attacks on consumers and shareholders, it’s time for some fresh thinking and decisive executive action. Cyber-attacks are not simply a loss prevention problem – they are the single biggest consumer protection issue of our time.

Rick Dakin


Rick Dakin — CEO, Co-founder and Chief Security Strategist

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS