The year 2016 ended for Los Angeles Valley College (LAVC) with a December 30 ransomware attack that took control over its campus email and computer network, disabling both until a ransom was paid. After consulting cybersecurity experts and law enforcement, LAVC paid the hackers $28,000 in bitcoins. Upon making payment, LAVC received the key to successfully unlock its files. Although LAVC did not have adequate backups such that it felt it could risk losing all its data, it did have cyber-insurance, which the college believed would cover some of the costs of the incident. Its cyber-insurance also gave LAVC access to cybersecurity experts to help manage the incident. LAVC is not the first university to pay ransomware. Earlier in 2016, the University of Calgary paid approximately $16,000 in bitcoins to unlock emails taken hostage by hackers, and a Newsweek article reported that nearly two-thirds of universities in the United Kingdom have been subjects of ransomware attacks.
So, what should higher education institutions do to respond to or prevent ransomware from infecting their systems? The FBI has stated officially that it does not support paying ransomware, a position that backs off some of the comments it made in 2015 that suggested paying ransomware. Instead, institutions should back up their data regularly and secure those backups on networks or computers that are not connected to those that they are backing up. So if colleges or universities do fall victim to ransomware, they will not fear losing irreplaceable data. There are also organizations and companies that help unlock ransomware, some of whom will do it for free. Also, as in the LAVC incident, obtaining cyber-insurance to offset some of the costs of a ransomware attack may prove helpful. In the meantime, consider the three rules to online security extolled by popular cybercrime blogger Brian Krebs:
- If you didn’t go looking for it, don’t install it.
- If you installed it, update it.
- If you no longer need it (or, if it’s become too big of a security risk) get rid of it.
Moreover, consult the FBI’s guidance relating to preventing ransomware attacks.
Password Breaches May Push Universities to Consider Secondary Authentication
Experian’s 2017 Data Breach Industry Forecast, which predicted five data breach trends for this year, warned about the “death of the password.” A recent arrest relating to password hacks at two universities illustrates the relevance of this prediction in the higher education realm. In November 2016, a 29-year-old Arizona man was arrested for using the password reset tools at two universities to gain access to thousands of student email accounts and successfully change those passwords. After obtaining access to student accounts, the man was able to compromise social media accounts linked to the student emails and mined those accounts for confidential and potentially embarrassing content. The U.S. Attorney prosecuting the case cautioned that “this case should serve as a wakeup call for universities and educational institutions around the country.” When login credentials are misappropriated, risks to users continue beyond the initial breach as hackers continue to sell that information on the dark web long after the breach. Dubbing these “aftershock” breaches, according to Experian, this will hasten the move toward stronger authentication using a two-factor method. Colleges and universities should prepare for this both as a first line of defense and also to protect against potential downstream breaches.
Colleges and Universities Continued to be the Target of Data Breaches in 2016
Significant data breaches in 2016 at the University of Central Florida (63,000 records), University of California, Berkeley (80,000 records), and Michigan State University (400,000 records), which involved social security number and other personal information, illustrate how colleges and universities continue to be a target of data breaches. The Berkeley and Michigan State breaches resulted from vulnerabilities in IT systems or software, and all three breaches involved significant amounts of alumni data, including social security numbers. Not only do these data breaches highlight the importance of constantly monitoring systems for threats or indications of compromise, but two class action lawsuits brought by alumni from the University of Central Florida raise the issue of how much data should be retained and for how long, as critics have questioned the necessity of maintaining sensitive data of former students.
Department of Education to Audit Colleges and Universities for Compliance with Safeguards Rule
As announced last July, colleges and universities should start expecting audits of their cybersecurity practices by the Federal Student Aid (FSA) office of the U.S. Department of Education to determine compliance with their security obligations under Gramm-Leach-Bliley’s Safeguards rules and the institution’s FSA Program Participation Agreement. Generally, all institutions making federal financial aid available to its students will need to comply and demonstrate compliance. FSA warned that “[t]he Department will require the examination of evidence of GLBA compliance as part of institutions’ annual student aid compliance audit.” In demonstrating that they ensure confidentiality and security of student financial aid records and information, among other things, colleges and universities must have a written information security program, a designated employee responsible for coordinating the information security program, an identification and assessment of risks to student data, and an information safeguards program. FSA also strongly encourages educational institutions to model their cybersecurity programs to comply with the National Institute of Standards and Technology (NIST) standards for Controlled Unclassified Information.