U of Nebraska Breach Highlights Education In Crosshairs

  /     /     /  
Publicated : 22/11/2024   Category : security


U of Nebraska Breach Highlights Education In Crosshairs


Database containing 654,000 exposed through targeted attack



As details emerge about a recent hack of a University of Nebraska, security experts warn that the exposure of sensitive information of over 654,000 individuals in the incident is a perfect example of how universities have become a prime target for attackers of all motivations.
Weve gotten to the point where, if you are a university, you have to understand that you have probably already been breached and you dont know it yet, says Damon Petraglia, director of forensic and information security services for Chartstone. And if you havent, you will be. You will be attacked. Theres no question about that.
[U of Nebraska Is Hardly Alone. See
The (Not-So) Elite Eight In Higher Ed Breach Madness
. ]
University officials at Nebraska have been strategically mum about how exactly the database was compromised, but what they did say was that they discovered the breach on May 23. The attacker had broken into the Nebraska Student Information System (NeSIS), a centralized database containing personal records of students, alumni as far back as those attending in 1985, as well as other data held for the Nebraska State College System.
Right now were focused on determining the exact nature of the breach and communicating with those who may have been affected, Joshua Mauk, information security officer for the university, told the press earlier this week . We are working with law enforcement and forensics experts to thoroughly reconstruct this incident so that we can identify limitations in our system and put new safeguards in place for the future.
According to Mauk, the attack was extremely targeted and the university says there is no evidence yet that the records exposed in the breach have been used for illicit purposes.
Petraglia says the targeted nature of the Nebraska incident mirrors what hes seen at the universities that have hired him to do security consulting and forensics work of late.
The targeted part says to me that the attacker had researched and done reconnaissance to select a specific target. Typically, when they say targeted, thats spear hishing, he says. I dont want to speculate too much on how this happened, however, with the universities Ive been consulting with, Ive seen a tremendous increase in phishing attacks.
Phishing and other attacks are increasing against educational institutions largely due to the juiciness of the data these organizations are entrusted with, says Rob Rachwald, director of security strategy at Imperva.
The one thing that surprises me is just how much data, educational organizations actually sit on, Rachwald says. It is probably second or maybe tied with healthcare records in terms of sensitivity and volume. In this case, they had social security numbers, they had financial information, they had grades, transcripts, and thats consistent across most any educational organizations to sit on that much information. If you are a criminal, you really have quite the motherlode to do some fun stuff with that.
Whats more, the University of Nebraska case shows how concentrated that data can truly be within massive, centralized databases such as NeSIS
On the criminal side, it is literally a one-stop shop. With Nebraska, they had a database with all that information all in one place, Petraglia says. Thats not necessarily a bad thing--Im not going to fault Nebraska for that. But once a bad actor gets into that one database, they dont have to go any further. Everything is right there for them. And thats traditionally the way universities are set up. Tremendous amounts of personally identifiable information, a lot of financial information, medical records, everything you want is in one place. Once youre in, you dont have to go too far. According to Petraglia and Rachwald, even with the value of information universities care for, they lag far behind other industries in information security practices and management. For example, Petraglia says that it is still common to find major universities that have no dedicated information security department on campus.
The emphasis has not been on security. Very large universities function solely with an information technology department, he says. A lot of times it’s a philosophy of Its not going to happen to me. I dont have anything of importance, so why could anybody attack me? It happens all the time and the bad actors are watching these things.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
U of Nebraska Breach Highlights Education In Crosshairs