The hacks have exposed the personal information of students, faculty, alumni and donors.
Photo illustration by Justin Morrison/Inside Higher Ed | Jumping Rocks/Universal Images Group/Getty Images | aimintang and matejmo/iStock/Getty Images
A series of recent data breaches are highlighting why wealthy, high-profile higher education institutions are particularly vulnerable to increasingly sophisticated cyberattacks.
Last week, hackers cracked a database managed by Princeton University’s advancement office containing information about alumni, donors, some faculty, students and parents. Two weeks earlier, hackers stole similar records from the University of Pennsylvania. Those attacks followed others earlier this year at Columbia University—which exposed the data of 870,000 people, including students and applicants—and New York University, which compromised the personal data of some three million people who have applied to the university since 1989.
While wealthy, selective universities are far from the only institution types that fall victim to cyberattacks, experts say their reputations, resources and research profiles make them especially attractive targets. To protect themselves, institutions should invest in IT staff and systems and educate students and staff about potential threats.
“If I’m going to break into a bank, I’m breaking into the biggest one I can find,” said Doug Thompson, chief education architect and director of solutions engineering for Tanium, a cybersecurity management company. “They’re ripe for it because they’re so big and have so much money. If a hacker is going to attempt to hack a university, they’re going to try to get the most bang for their buck.”
In addition to obtaining tranches of personal identifying information that can be sold on a black market, swiping a list of a well-endowed university’s donors creates even more opportunities for future scams. “Now, the hackers have a whole bunch of private targets,” Thompson said. “They have the names of people who have enough money to donate to these institutions.”
But money isn’t the only motivation. Since Ivy League and other elite institutions have become the face of broader political attacks on higher education, they’re more likely to attract so-called hacktivists.
“In the current political climate, academic institutions and their employees are drawing ire from all kinds of fringe groups, protesters and entities that might get incensed by something they say or do and launch those types of attacks,” said Brent Riley, vice president of digital forensics and incident response for the North American division of Cyxcel, a digital risk advisory firm.
In addition to stealing valuable data, the hackers at Penn bragged about their work in a vulgar, fraudulent mass email sent from a upenn.edu email address to the university community. The email referred to Penn as an “elitist,” “woke” and “unmeritocratic” institution with “terrible security practices” that hires and admits “morons because we love legacies, donors, and unqualified affirmative action admits.”
“We love breaking federal laws like FERPA (all your data will be leaked) and the Supreme Court rulings like [Students for Fair Admissions v. Harvard],” the email said. “Please stop giving us money.” Similarly, the Columbia and NYU hackers have attributed their motivations to getting enrollment data to show their alleged defiance of the Supreme Court’s 2023 ruling in SFFA that race-conscious admissions are unconstitutional.
The cutting-edge research wealthy universities conduct also makes them more vulnerable to cyberattacks from other nations.
“They will target institutions to steal research data so they don’t have to spend the money to produce it themselves,” Riley said. “Any university that’s conducting research into the military, pharmaceuticals or manufacturing is a high-value target for threat actors from other countries where the government employs hackers to steal trade secrets and patentable information.”
All of those cybersecurity risk factors specific to elite institutions are in addition to the operational setup that makes nearly all colleges and universities vulnerable to cyberattacks, which are only becoming more sophisticated in the age of generative artificial intelligence.
“Education is such an easy target for threat actors,” Riley said, “mostly because of the necessity for so many unsophisticated users to be on the network.”
Although a lawsuit filed by a group of Penn alumni earlier this month claims the recent hack was the result of the university’s “negligence and insufficient data security,” Riley said hackers can still breach some of the most sophisticated cybersecurity systems.
That’s in part because the breaches at Penn and other universities were achieved through a tactic known as social engineering, in which a hacker uses false pretenses to convince an employee to give them access to sensitive information.
“The best security defense index in the world can’t get around the human element being vulnerable to making mistakes, keeping data somewhere where it shouldn’t be, allowing a threat actor to steal their password and getting tricked into providing multifactor identification, or convincing them to give access to a file share,” Riley said.
And with the advent of generative AI, those ruses are becoming much harder to detect.
“It used to be that we would train folks to detect a potential social engineering attack by looking for bad grammar or misspelled words,” Riley said. “That is almost entirely gone now with generative AI, which is generating the social engineering emails or communication based on local communication styles.”
