Over the last decade, negative cyber incidents such as data breaches have become increasingly counterproductive, and occasionally dangerous, to businesses across all sectors. Higher education is no exception, and colleges both public and private have come up against the same threats to digital security and online privacy that exist in industries such as manufacturing, healthcare, and finance. Sometimes, a single malicious actor is involved; more often, patterns of willful ignorance regarding best practices for digital security can, and will, lead to crises for employees—or, in this case, for students and faculty members.
“Hackers” Make Headlines
Recently, a trio of U.S. colleges made headlines when their admissions databases were breached by individuals who wanted to sell applicant data to incoming students. Confused high school students across the country were offered the opportunity to buy a university perspective on their own application for a few thousand dollars.
Oberlin College in Ohio, Grinnell in Iowa, and Hamilton College in New York would seem to share little in common beyond a top-level categorical designation as private liberal arts institutions. However, these three colleges, like hundreds of others across the country, rely upon the same third-party software—called Slate—to manage the terabytes of applicant data that is gathered, evaluated, and eventually supportive of student rejection or acceptance each year. Faculty members use individual accounts within the platform to quickly navigate these applications, which hold a great deal of private information on incoming students.
Authorities and media outlets involved were quick to jump to conclusions regarding a potential data breach on Slate’s side, but representatives verified that no user had gained access without “legitimate user credentials.” Instead, college staff members’ passwords were simply reset and used to gain access to the files of incoming students. The three universities turned to external specialists to combat what they’d now internally misunderstood as a “hacking” problem, contacting “cybersecurity experts”, federal authorities, and “data-security experts” for external support, rather than their own in-house IT staff. As is typical, “hacking” was merely a consequence of much simpler social engineering—creative manipulation of human error that becomes inevitable when proper security measures do not exist and an opportunity for profit does.
The “hackers” of the case had merely been exploiting a security vulnerability to take advantage of insecure, coveted data, proving that higher ed is as volatile an industry as any when it comes to cybersecurity weaknesses. Experts agree: Moody’s Investors Service recently classified higher education with an “increasing” cyber risk due to the prevalence of confidential research and the financial or medical records of students. Add to that assessment recent patterns of vulnerabilities in the higher ed system, digital or otherwise: many universities have made recent headlines when decades-long abuse scandals have finally accrued enough digital or physical evidence to reach the public eye; a recent, massive college admissions scandal revealed a network of high-net-worth parents eager to buy their children’s way into college; more generally, colleges across America have been beset by a wave of stagnated enrollment rates coupled with cutthroat competition between applicants to colleges of all caliber. At such a juncture it’s hard to ignore the fact that a lack of proper cybersecurity protocols plays a part here.
Universities don’t always have robust cybersecurity tools and methodologies in place, let alone entire dedicated cyber departments, for mitigating these new risks. Many of these problems are minor, and involve data that’s been stolen, lost, or compromised. Some are more dangerous, such as physical threats that can be proactively discovered online using sentiment analysis or constant monitoring of specific keywords across social channels. Otherwise, patterns of fraudulent activity or widespread abuse will always leave a digital trail that can be discovered by discerning cybersecurity experts.
Regardless of scale, when it comes to these issues, colleges now face the same dilemma as everyone else: learn to adapt or continue to ignore a pattern of cyber vulnerabilities followed by inevitable inconvenience, exploitation, or crisis.