Recently, Scott County Schools, in Kentucky, fell victim to a $3.7 million fraud phishing scam. According to Superintendent Dr. Kevin Hub, a vendor informed the district that an invoice sent to the district had not been paid. In looking into the matter, the district found that someone else had been paid instead, via a fraudulent email disguised as the vendor.
“This is a process that we use currently in Scott County Schools. It’s a way that we pay our vendors. And it was in this specific case, a single case, that we can verify, and this fraudulent email and fraudulent documentation is what caused this crime to happen.”
The Scott County Schools incident is far from being an isolated case among educational institutions. Out of 17 major industries, the education industry is ranked the worst in cybersecurity. This is according to a report published by SecurityScorecard, an IT security firm based in New York City. SecurityScorecard’s research demonstrates that there exists substantial risk to students.
For one thing, vast amounts of student personal data are amassed on school networks, including academic, health and financial records. The education industry is also failing to take many of the steps essential to protecting students from cyber attacks. In its 2018 Education Cybersecurity Report, SecurityScorecard found that the main areas of cybersecurity weakness in education are application security, endpoint security, patching cadence and network security.
University networks are particularly vulnerable to cyberattacks, says Sam Kassoumeh, chief operating officer and co-founder of SecurityScorecard. “There is a large surface area of exposure at a university. It’s thousands and thousands of devices distributed over a campus.”
In addition to that, students frequently use more than one device in and out of class, with varying degrees of security applied to the devices. Lack of funds for cybersecurity is prevalent in the education industry and impacts the size and quality of school IT departments. Kassoumeh explains that, “instead schools often rely on one person or a small team for all campus IT needs.” He said, “there’s just not enough time, focus and attention given to the security function.”
Ed Hudson, chief information security officer for the California State University system, told EdScoop: “I think Higher Education cybersecurity is unlike any other industry in the cross-section of our challenges.” He pointed out that the education field has pretty open networks in order to accommodate faculty and student needs. “Our cybersecurity challenge is a continual balancing act to provide the most secure environment possible while making it the most open to facilitate academic research,” Hudson said.
K-12 educational institutions aren’t fairing well either, as a US school district becomes the victim of a cyberattack approximately every 3 days. The cyber incidents range from data breaches to phishing scams to ransomware attacks. Many of the incidents are hugely consequential, resulting in the theft of millions of taxpayer dollars, identity theft or fudged school records.
In the 2019 State of Malware report, by Malwarebytes, the education industry is revealed to be a constant in the top 10 industries targeted by cybercriminals. The report also found the SAT and ACT to be susceptible to data breaches.
Here are the recent attacks on schools:
– Bleeping Computer reported on an incident that unfolded, “like a modern-day WarGames.” Students in Michigan hacked into a school district’s computer system and modified grades and attendance records.
– Also reported by Bleeping Computer, “some parents of students attending St Lawrence College in Ramsgate were scammed by crooks into sending an undisclosed amount of money during the Christmas holidays. According to the school, the parents received emails offering fee discounts for the spring and summer terms if they would agree to send the money in advance. The swindlers used a common email scam attack, promising their victims some quick gains if they would take advantage of the discounts.”
– Georgia Tech announced that it was the target of a cyberattack in which its databases were infiltrated and the personal information of around 1.3 million current and former students, employees, and applicants was stolen.
– Washington State University agreed to hand over up to $4.7 million to settle a lawsuit that was filed after a hard drive containing the personal information of more than a million people was pilfered from a self-storage locker in 2017. The stolen hard drive contained addresses, social security numbers, career information, health data and college-admissions test scores.
– A SIM swapping high school valedictorian in Boston became one of the first people in the country to be convicted of stealing cryptocurrency by hacking a victim’s cell phone. He was sentenced to 10 years in prison.
– In Nevada, the Clark County School District police are investigating the suspected hacking of Foothill High School’s Twitter account after it began tweeting lewd images.
– According to CBS New York, two freshman students from Secaucus High School in New Jersey were taken into custody after hacking into the school’s Wi-Fi system, because they didn’t want to take exams.
– Former student at College of Saint Rose in Albany, NY, Vishwanath Akuthota, fried over 50 college computers with a “USB Killer.” Akuthota used a device which is capable of quickly seizing power from a USB port, followed by a high voltage (technically, -200 Volts) being sent back through the signal lines, which overloads and destroys the hardware.
The poor state of cybersecurity in schools is further complicated by the fact that students are typically more tech-savvy than their teachers. So, even if restrictions are put into place, many students are able to sidestep them and in the process compromise security.
There is also potential danger present when students engage in certain behaviors, such as using vault apps. Vault apps provide cover for accessing the darknet, where they can pay a hacker to change their grades or buy academic papers, fake IDs or a gun.