U of Nebraska Breach Highlights Education In Crosshairs

Database containing 654,000 exposed through 'targeted' attack
As details emerge about a recent hack of a University of Nebraska, security experts warn that the exposure of sensitive information of over 654,000 individuals in the incident is a perfect example of how universities have become a prime target for attackers of all motivations.

"We've gotten to the point where, if you are a university, you have to understand that you have probably already been breached and you don't know it yet, " says Damon Petraglia, director of forensic and information security services for Chartstone. "And if you haven't, you will be. You will be attacked. There's no question about that."

[U of Nebraska Is Hardly Alone. See The (Not-So) Elite Eight In Higher Ed Breach Madness. ] University officials at Nebraska have been strategically mum about how exactly the database was compromised, but what they did say was that they discovered the breach on May 23. The attacker had broken into the Nebraska Student Information System (NeSIS), a centralized database containing personal records of students, alumni as far back as those attending in 1985, as well as other data held for the Nebraska State College System.

"Right now we're focused on determining the exact nature of the breach and communicating with those who may have been affected," Joshua Mauk, information security officer for the university, told the press earlier this week . "We are working with law enforcement and forensics experts to thoroughly reconstruct this incident so that we can identify limitations in our system and put new safeguards in place for the future."

According to Mauk, the attack was extremely targeted and the university says there is no evidence yet that the records exposed in the breach have been used for illicit purposes.

Petraglia says the targeted nature of the Nebraska incident mirrors what he's seen at the universities that have hired him to do security consulting and forensics work of late.

"The 'targeted' part says to me that the attacker had researched and done reconnaissance to select a specific target. Typically, when they say targeted, that's spear hishing," he says. "I don't want to speculate too much on how this happened, however, with the universities I've been consulting with, I've seen a tremendous increase in phishing attacks."

Phishing and other attacks are increasing against educational institutions largely due to the juiciness of the data these organizations are entrusted with, says Rob Rachwald, director of security strategy at Imperva.

"The one thing that surprises me is just how much data, educational organizations actually sit on," Rachwald says. "It is probably second or maybe tied with healthcare records in terms of sensitivity and volume. In this case, they had social security numbers, they had financial information, they had grades, transcripts, and that's consistent across most any educational organizations to sit on that much information. If you are a criminal, you really have quite the motherlode to do some fun stuff with that."

What's more, the University of Nebraska case shows how concentrated that data can truly be within massive, centralized databases such as NeSIS

"On the criminal side, it is literally a one-stop shop. With Nebraska, they had a database with all that information all in one place," Petraglia says. "That's not necessarily a bad thing--I'm not going to fault Nebraska for that. But once a bad actor gets into that one database, they don't have to go any further. Everything is right there for them. And that's traditionally the way universities are set up. Tremendous amounts of personally identifiable information, a lot of financial information, medical records, everything you want is in one place. Once you're in, you don't have to go too far." According to Petraglia and Rachwald, even with the value of information universities care for, they lag far behind other industries in information security practices and management. For example, Petraglia says that it is still common to find major universities that have no dedicated information security department on campus.

"The emphasis has not been on security. Very large universities function solely with an information technology department," he says. "A lot of times it’s a philosophy of 'It's not going to happen to me. I don't have anything of importance, so why could anybody attack me?' It happens all the time and the bad actors are watching these things."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.