Two universities hacked in three months; who is next?

As of 2023, there are 12 accredited universities in the state university system in Florida. The state college system includes 28 state and community colleges. In addition, there are 27 private universities and colleges in Florida and another 28 higher education institutions with religious affiliations. That’s more than 100 accredited organizations in the state of Florida who provide higher education and ancillary services that have become part of their ecosystems. On the larger stage, several thousand chartered, licensed, or accredited institutes of higher learning operate throughout the 50 United States.

Universities are Responsible for Volumes of Personal Data

Most universities and colleges have business offices to manage tuition and other payments, medical offices to treat ailing students, and financial aid offices to provide scholarships, loans, and grants. Many perform employee and faculty payroll functions as well.

Universities who specialize in training physicians and other medical professionals to provide healthcare services are responsible for extensive and detailed records. Universities who support research that can lead to ground-breaking innovations maintain patents, copyrights, and other intellectual property.

Higher ed institutions who provide any of these services are governed by regulations designed to safeguard the personally identifiable information (PII) and protected health information (PHI) of their students as well as other sensitive data they generate and maintain. Increasingly, this data lives online, and is processed and stored in the cloud.

Your Data Requires Protection and Security, and Here’s Why

Universities continue to be targeted by hackers and ransomware criminals, in large part because they gather and maintain so much data about students and often, by default, their parents. No higher education institution is immune to attack, whether it’s among the largest or the smallest. University data breaches are remarkably common, as illustrated by three recent examples.

Stanford University, Palo Alto, California. Stanford is a private research university founded in 1885, and at 8,100 acres is one of the largest campuses in the U.S. Between December 2022 and January 2023, Stanford suffered a data breach. A folder containing current, detailed applications for admission to its Economics PhD program was misconfigured during set-up, making the files openly available on the website. Misconfigurations are common vulnerabilities that can occur fairly easily if IT staff are busy, distracted, or inadequately trained. Files were downloaded from the website without authorization between December 5, 2022 and January 24, 2023. Notice of the data breach was sent to nearly 900 applicants whose data was exposed, which included names, dates of birth, home addresses, email addresses, phone numbers, and information about race, ethnicity, citizenship, and gender. While this specific breach was limited in scale, similar misconfigurations of settings could have occurred in other Stanford databases. With its current enrollment of 17,000 students, the resulting data breaches could have been massive.

University of Hawaii, Honolulu, Hawaii. Established in 1907, the University of Hawaii is a public institution operating three universities and seven community colleges with a current enrollment of 19,000 students. In mid-February 2023, the University’s Maui College took its systems offline after discovering that its IT network had been accessed without authorization. Unauthorized access is frequently caused by cybercriminals who have hijacked passwords, and occasionally by disgruntled former employees whose login credentials were never terminated. An investigation in collaboration with cybersecurity experts confirmed that certain files had been breached, including those containing confidential information of some 10,500 students. Notifications were sent to all affected students, and college staff were instructed to change their passwords as a deterrent to future breaches.

Our Lady of the Lake University, San Antonio, Texas. Our Lady of the Lake is a private, non-profit Catholic university founded in 1895, with a current enrollment of 1,200. On or around August 30, 2022, the university’s network was accessed without authorization. An investigation in collaboration with cybersecurity experts, which concluded on March 3, 2023, confirmed that personally identifiable information (PII) had been removed from the network. The stolen data included names, university identification numbers, dates of birth, bank account information, and online credentials as well as Social Security, driver’s license, and/or passport numbers. Notification of the breach began in late March 2023 to an undisclosed number of victims. On April 21, 2023, a lawsuit filed in Texas District Court in San Antonio charged the university with negligent and careless acts and omissions leading to its failure to protect individuals’ personal information.

Were These Universities Compliant with Security Regulations?

Higher education institutions are governed by federal and state regulations designed to safeguard the personally identifiable information (PII) and protected health information (PHI) of their students as well as other sensitive data the universities generate and maintain.

Nearly all current regulations have a security component because the relentless nature of cybercrime demands it. Security requirements are usually expanded or strengthened during periodic regulatory updates to keep pace with evolving cybercrimes. Below are the three primary data security regulations that apply to most universities in the U.S., although given the university data breaches described above, widespread compliance is doubtful.

• Payment card industry regulations revolve around the PCI Data Security Standard, a set of 12 primary security categories with dozens of security requirements in each. These requirements govern organizations who accept credit cards or debit cards as payment for goods or services, including tuition, textbooks, meal plans, sports equipment, and other expenses.
• Organizations who provide financial services, whether to consumers or businesses, are regulated by the stringent security requirements of the Gramm-Leach-Bliley Act (GLBA). The GLBA certainly applies to universities who provide financial aid or offer other financial services such as scholarships, grants, loans, and student employment.
• Organizations who provide healthcare services must comply with the Health Insurance Portability and Accountability Act (HIPAA) and its Security Rule, Privacy Rule, and Data Breach Notification Rule requirements. Whether you are a medical university or simply operate a campus clinic for students, HIPAA applies to you.

It is not yet certain whether these three institutions were compliant with applicable regulations. The more important question, however, is whether your own university is compliant.

For Campuswide Security, Adopt a Cybersecurity Framework

In addition to the specific regulations above, universities may choose to implement one of the widely accepted cybersecurity frameworks to ensure cybersecurity throughout the university’s network and systems. Below are the two security frameworks most commonly adopted by universities in the U.S.

• The National Institute of Standards and Technology (NIST) Cybersecurity Framework enables organizations to better manage and reduce cybersecurity risk. This framework consists of standards, guidelines, and practices to protect infrastructure, information technology, and data.
• The HITRUST CSF provides a comprehensive, flexible, efficient path for complying with sets of regulatory requirements and security standards that govern many different industries. The foundation of this framework is ISO/IEC 27001:2005 and 27002:2005, which are universally accepted standards promulgated by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). 

Selecting the right security framework for your institution can be a challenge, but assistance and resources are available.

More About the NIST Cybersecurity Framework. The NIST CSF consists of five core functions involving identification, protection, detection, response, and recovery from a security incident. These are subdivided into categories for ease of use. Cybersecurity and compliance firms, such as 24By7Security, conduct assessments against the five core functions and their categories to reveal gaps between the framework and your university’s security program. Addressing these gaps enables you to improve security throughout your institution by implementing a robust, comprehensive cybersecurity framework. Our experts can guide you throughout that journey.

More About the HITRUST Framework. Similarly, a credentialed cybersecurity and compliance firm can assist you in implementing the HITRUST framework. You’ll receive assistance in identifying the level of security controls most suitable for your university, followed by a gap assessment to identify and remediate gaps between the framework and your existing security program. With expert assistance, you’ll prepare the required policies, procedures, and forms, and also prepare for your certification audit to demonstrate compliance with the HITRUST framework. Ongoing maintenance assistance helps ensure your compliance doesn’t erode over time, which can happen when systems, technology, infrastructure, and key personnel are either introduced or retired.

Additional Resources and Assistance. Similar resources are available for universities required to comply with PCI DSS, GLBA, or HIPAA regulations. Your IT staff will not have to tackle compliance and cybersecurity without expert assistance. In addition, the services of an experienced Virtual CISO can help your security team focus where they need to, when they need to. And if your university is in between security chiefs, engaging a Virtual CISO can prevent a vacuum while you recruit and hire.

Summary

University data breaches are not uncommon, as illustrated by three recent incidents affecting large and small institutions. Hackers access data using hijacked login credentials. Misconfigured computer settings introduce vulnerabilities. Data is stolen and held for ransom. The lure for cybercriminals is the sheer volume of sensitive information, inadequately protected, floating around in the ether.

Universities and colleges are governed by clear regulations requiring data security. They have access to adoptable cybersecurity frameworks and resources to assist them in implementing safeguards. The key questions are whether they are fully compliant with all regulations that apply to them, and whether their cybersecurity programs can make the grade.

Universities are overdue to refocus, assess their compliance and security, prioritize the vulnerabilities they identify, and resolve those vulnerabilities to reduce their risks. They owe it to themselves as well as to their student, parent, and faculty communities.