UC Berkeley breach: Universities increasingly targeted in cyberattacks

A recent cyberattack at the California state university highlights how the combination of vast quantities of personal information and lax online security have made educational institutions attractive targets for hackers.

Melanie Stetson Freeman/The Christian Science Monitor/File
Students and visitors walk across campus at the University of California Berkeley, on February 19, 2014 in Berkeley, Calif. Administrators at UC Berkeley announced on Friday that hackers infiltrated the school's financial system containing data on 80,000 students, faculty, and alumni.

The University of California at Berkeley is investigating a cyberattack on a university computer system that holds financial data for 80,000 people, from students and alumni to faculty and vendors.

The San Francisco Bay area university said on Friday that there is no evidence any information has been stolen, but that it has notified potential victims of the data breach, which include about half of the school’s current students, two-thirds of its active employees, and over 10,000 vendors who work with the school.

The attack on the system, which stores social security and bank account numbers, occurred in late December when the university was patching a security flaw in its financial management system, school officials said.

The university frequently identifies similar hacking attempts, the school added. Indeed, the hack at UC Berkeley is just the latest in a series of large-scale cyberattacks on educational institutions. The combination of large stores of important data – from personal financial data to research and patents held by researchers – and often weak online defenses mean colleges and universities are attractive targets for hackers around the world, security professionals say.

From 2013 to 2015, 550 universities reported some kind of data breach, NBC reported last fall, and in 2014 only the health care and retail sectors reported more security breaches than the education sector, according to Symantec's Internet Security Threat Report. Recent targets have included the University of Connecticut and Johns Hopkins to the Maricopa County Community College District in Arizona. 

And the attacks aren't just one-off assaults from small-time hackers, cybersecurity analysts say. The University of Wisconsin has reported 90,000 to 100,000 attempts to penetrate its system per day from China alone, University Business reported in October. Last May, the FBI informed Pennsylvania State University of a security breach potentially effecting 18,000 students and faculty, as well as around 500 research partners. The university was able to trace the hack to China, and found that it might have been going on for two years.

But a number of factors make its particularly hard for colleges and universities to defend against cyberattacks. First, the transient nature of the student body means new devices are constantly entering and leaving the university system. The academic environment also typically encourages the free flow of information, leaving them more vulnerable to attack. Purdue University's chief information security officer told University Business that schools have resisted implementing strong digital security measures because "researchers want to collaborate with others, inside and outside the university, and to share their discoveries."

Educational institutions are also often hamstrung by tight budgets and a market for education software that is unprofitable and therefore uncompetitive.

"Most of the third-party companies that provide software to educational institutions, frankly, don't focus on security," Michael Borohovski, founder and CTO of Tinfoil Security, told NBC News. "If they don't have to spend money on security and can still win a contract, that is what they’re going to do."

UC Berkeley officials have informed law enforcement, including the FBI, of the attack on their system, and have hired a private company to investigate the attack.

"The security and privacy of the personal information provided to the university is of great importance to us," said Paul Rivers, the university's chief information security officer, in a statement. "We regret that this occurred and have taken additional measures to better safeguard that information."

Material from Reuters and The Associated Press was used in this report.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to UC Berkeley breach: Universities increasingly targeted in cyberattacks
Read this article in
QR Code to Subscription page
Start your subscription today