12 Email Security Incidents Involving U.S. Education Institutions

Person using computer in the dark

Social attacks continue to pose a threat to organizations everywhere. Take phishing attacks, as an example. In its 2019 Data Breach Investigations Report (DBIR), Verizon Enterprise found that phishing campaigns constituted the fifth top action variety across all reported security incidents and the top action variety in disclosed breaches. It’s therefore not surprising that these attacks registered as a top action variety in sectors such as Educational Services.

Out of all reporting education organizations, U.S. institutions have clearly suffered their fair share of recent phishing attacks. Many of these instances have even propelled school districts, colleges and universities into the headlines. Here are just a few that broke the news over the past year.

1. Colorado State University

The Public Safety Team at Colorado State University (CSU) detected a phishing attempt against its systems over the summer of 2018. According to Collegian, digital attackers targeted the university with a phishing attack designed to steal the login credentials of CSU students. The school’s Public Safety Team noted how bad actors could have abused those credentials to log into student portals and then view or change personal information like bank account data.

2. Cape Cod Community College

In early December 2018, Cape Cod Community College revealed that bad actors had targeted its facilities with a phishing scheme. Scammers compromised several computers in the Nickerson Administration Building and accessed college banking information, data which they then used to fraudulently transfer $807,130 of the school’s funds. As of 8 December, the community college had recovered $278,887 of those funds by working with its bank. Perhaps unsurprisingly, law enforcement and university officials believe the original source of the attack involved an employee clicking on a seemingly harmless email attachment.

3. St. Lawrence College

Around the 2018 holiday season, parents of students attending St. Lawrence College received convincing looking emails promising them that they would receive substantial tuition fee discounts if they agreed to send money in advance. Bleeping Computer’s reporting reveals that two of the contacted parents fell for the scam and sent money over to the hackers posing as college officials. This breach followed on the heels of what headteacher Anthony Spencer called a “sophisticated attack” in which bad actors gained access to email addresses and other personal information stored by the school. Unfortunately, well-coordinated scams like this seem to be happing with increasing frequency in education.

4. Wichita State University

News of a phishing attack that succeeded in victimizing three employees of Wichita State University emerged in early January 2019. That scheme tricked those individuals into handing over their university ID numbers and passwords. With that information in tow, bad actors had the necessary privileges to access other employees’ bank account numbers. They then abused that information to divert several employees’ direct deposit payments to accounts under their control. Schemes like this demonstrate the ease with which bad actors are able to quickly monetize all types of stolen credentials.

5. Missouri Southern State University

On 9 January 2019, Missouri Southern State University learned of a phishing email attack targeting its workforce. This campaign sent out emails with malicious links that, when clicked, redirected recipients to phishing pages designed to steal their Office 365 account credentials. Several employees fell for the scheme. At the time of compromise, their accounts held both emails and attachments that contained full names, birth dates, home addresses, email addresses, telephone numbers and Social Security numbers. This form of attack can potentially open even well-meaning institutions to a variety of serious legal and financial consequences.

6. Western Technical College

Western Technical College revealed in March 2019 that the school had likely fallen victim to a phishing attack in October 2018. In the process, it’s possible that bad actors compromised the personal information including the names and Social Security Numbers of former students who graduated as far back as the 1990s and early 2000s. The phishing attack affected neither current students nor alumni outside of this specific window of exposure, found a College investigation. Though there is no direct evidence this information was immediately used, the situation still represents an embarrassing breach of cybersecurity – and confidence in the College’s ability to keep private information secure.

7. Oberlin College, Grinnell College and Hamilton College

Digital attackers breached Slate, a system owned by Technolutions Inc. which enables schools to track the information of students who’ve applied for admission, in March 2019. Subsequently, those actors wreaked havoc by resetting the passwords for staff members at Oberlin College, Grinnell College and Hamilton College. They then used those passwords to gain access to the full applicant database, as reported by the Wall Street Journal, before sending out emails to students informing them that they could purchase their admission files for as much as $3,800.

8. Oregon State University

In June 2019, Oregon State University announced a security incident in which bad actors compromised a school employee’s email account and then abused their access to send out phishing emails across the nation. That account included the personal information of 636 students and their families at the time of compromise. According to Corvallis Advocate, the attack might have compromised victims’ names, birthdates and Social Security Numbers.

9. Monroe College

NY Daily News reported in July 2019 that bad actors succeeded in attacking Monroe College’s computer system. They used ransomware to infect each of Monroe College’s campuses in Manhattan, New Rochelle and St. Lucia. This malware rendered the College’s website inaccessible and might have also compromised internal emails. While it’s not known for sure how the situation was ultimately resolved, hackers behind the attack told officials they would disinfect all campuses for the sum of 170 Bitcoin, or about $2 million at the time the ransom demand was made. While the school was quick to point out that the attack did not impact classes or its payroll system, ransom aside, it’s difficult to place a price tag on the chaos caused by this incident.

10. University of Wisconsin-Parkside

In the middle of July 2019, the University of Wisconsin-Parkside received notice from a bank of a new account. The bank had received electronic payments from UW-Parkside, but it had flagged the transfer as a result of the receiving account’s novelty and the type of payments involved. Losses amounted to about $315,000, reported Kenosha News. However, the school did succeed in recovering part of the funds, and it expected that insurance would cover the rest. This instance of fraud resulted from a phishing attack in which an individual using an employee’s credentials changed the banking account routing numbers for two UW system vendors.

11. Louisiana School System

Near the end of July 2019, Louisiana Governor John Bel Edwards issued a statewide Emergency Declaration as the result of a digital security incident affecting several local government agencies. Those entities included the school systems in Sabine, Morehouse and Ouachita. According to BossierNow, each of those schools suffered a malware attack that disrupted some of their technology systems along with their central phone systems.

12. Houston County Schools

Houston County Schools announced at the end of July 2019 that its computer servers had suffered a malware infection. That attack affected the school system’s telecommunications and computer functionality across the entire district, as noted by Dothan Eagle. After discovering the infection, it took school officials several days to even measure the full impact of the attack. To help give the IT teams enough time to reinstall affected assets and restore disrupted computer systems’ functionality, school officials decided to delay the system-wide start date for the academic year until 5 August.

Defending Against Email-Based Attacks in Education

The attack campaigns discussed above highlight why it’s so important for U.S. schools, universities and other educational institutions to defend themselves against email-based attacks. One of the best ways they can do that is by investing in an email security solution that’s capable of providing sophisticated inbox protection for faculty, staff and students. Specifically, such a platform should be capable of evaluating incoming messages based upon their IP addresses, URLs, targeted phrases, campaign patterns, known malware signatures and behavior indicative of zero-day attacks. This solution should also be capable of analyzing email correspondence in real-time all while allowing legitimate messages to reach their intended destination.

It only takes one malicious email to infiltrate your network or take your data and reputation hostage. Fortunately, combining effective training with a solution that has the features outlined above can go a long way toward keeping your students, alumni, faculty, staff and parents safe.

Learn how ZixProtect helps defend U.S. educational institutions against email-based attacks.