The Biggest Higher Ed Data Breaches
in 2019

by Paul Anand
on Nov 1st, 2019

Data breaches not only affect individuals but also tarnish the reputation of the organization for years to come. From lost trust to regulatory fines to remedial costs, data breaches have many major impacts. As per the annual Cost of a Data Breach Report 2019, conducted by the Ponemon Institute the average total cost of a data breach is $3.92 million. As higher ed institutions adapt to new technologies, they also fall prey to malicious factors. Here is a list of the biggest higher ed data breaches in 2019, and their impact:

Australian National University

On 4th June 2019, the Australian National University confirmed the May and November 2018 data breach of nearly 200,000 people. According to the executive summary of the report, the intrusion for the second attack was first detected in April 2019 during a baseline threat hunting exercise. During this process, they discovered the network traffic data which suggested the presence of a malicious actor with characteristics different from the one detected by the University in May 2018.

The initial attack was done through a sophisticated spear-phishing email that only required users to click on a link or download an attachment. The attack affected the ANU network for almost 6 weeks with the most malicious activity ending around mid-December 2018. The attacker(s) eluded detection systems by evolving their techniques during the attack. They also used custom malware and operational security.

As per the Vice-Chancellor of the Australian National University, “The perpetrators of our data breach were extremely sophisticated. This report details the level of sophistication, the likes of which has shocked even the most experienced Australian security experts.

The cyber attacker(s) accessed names, addresses, date of births, personal emails, tax file numbers, bank details, passport, and academic records of the victims. As per the report published by the Australian National University (ANU), hackers took much less than the 19 years’ worth of data.

Oberlin College, Grinnell College, and Hamilton College

Oberlin College in Ohio, Grinnell College in Iowa and Hamilton College in New York fell prey to a single attack. The hacker broke into Slate, an applicant management software, used by the three colleges and got access to admissions materials from the applicants of the Class of 2023.

A Hamilton College admission staff discovered the hack on Monday, March 4, 2019, upon realizing that their password had been compromised. The admission department of Hamilton College further discovered that the hackers accessed the database by using an employee’s password and that attackers had attempted to send an email to Hamilton applicants. However, due to the security restrictions at Hamilton College, the hacker’s attempt to send an email to the Class of 2023 applicants failed. On the other hand, it is allegedly said that the same attempt ran successfully at Grinnell College. But, later, even applicants from Hamilton College reported receiving messages.

Applicants received emails, offering them access to confidential information regarding their admission file for a fee. Allegedly, every applicant ended up paying $3800 or more for their file. Thereafter, hackers sent a subsequent email to offer a limited amount of information at $60. Hackers also got access to valuable personal data including names, addresses, birthdays, etc.

On the other hand, Alexander Clark, CEO Technolutions Inc. said that “Slate had not been compromised and that the hackers gained entry to the system through the affected colleges’ password-reset system, not through Slate itself.

Oregon State University

In June 2019, Oregon State University (OSU) announced the occurrence of a data breach of 636 students and family records during the month of May. Information pertaining to Personally Identifiable Information (PII) has been potentially affected by this breach.

As of now, the university hasn’t revealed the part of PII that has been breached, but, PII generally contains names, addresses, telephone numbers, Social Security numbers, etc. Also, generally financial records aren’t considered as part of PII during data leaks. However, there is still no surety whether the names, birthdates, and Social Security numbers of both current, and prospective students as well as their family members, are or aren’t exposed.

The US university further elaborated that an OSU employee’s e-mail account was hacked by individuals outside the university, and subsequently used to send phishing e-mails. Upon further research by an OSU forensic specialist, it was found that several documents within the OSU employees’ inbox had personal information of 636 students and family members of students.

University of Connecticut

In February 2019, UConn Health an academic branch of the University of Connecticut that oversees clinical care, advanced biomedical research, and academic education in medicine announced a breach of 326,000 patients. As per the official notice, UConn Health determined on December 24, 2018, that “an unauthorized third party illegally accessed a limited number of employee email accounts.” It also stated that the accounts contained some personal information like individuals’ names, dates of birth, addresses. Along with this, it also had limited medical information like billing and appointment information, as well as the Social Security numbers of a few individuals.

The University of Connecticut and UConn Health faced a class-action lawsuit because of the data breach and putting patient identities at risk.

But, many of these attacks could have been prevented by using an IAM suite. In addition to IAM, these higher ed institutions could have boosted their security from the beginning by using MFA at an app-level MFA, or by implementing MFA with their Single Sign-On solution. QuickLaunch has already helped to boost the security of more than 500+ higher ed institutions in the past few years. Try our 30-days free trial to know more about QuickLaunch IAM and the benefits it can offer to your institution.