At a glance.
- Illuminate Education attack illuminates need for tighter student privacy protections.
- Analysis shows higher ed data at heightened risk.
- Pennsylvania health network suffers data breach.
Illuminate Education attack illuminates need for tighter student privacy protections.
The New York Times offers an in-depth look at the recent cyberattack on Illuminate Education, makers of software intended to help schools track student academic progress. The breach exposed the personal data of over one million current and former students across dozens of US school districts, including in New York City and Los Angeles, the largest public school systems in the nation. The compromised data, which goes back more than a decade, included student names, birthdates, and ethnicities, as well as sensitive details regarding behavior and disabilities. The attack illustrates how such software, though well intended, can expose student information that could not only lead to identity theft, but also negatively impact a student’s future. Joe Green, a cybersecurity professional and parent of a high school student whose school was impacted in the breach, states, “If you’re a bad student and had disciplinary problems and that information is now out there, how do you recover from that? It’s your future. It’s getting into college, getting a job. It’s everything.” And the vulnerability of such data is exacerbated by the fact that most schools simply do not have the resources for adequate security measures, making them easy prey for cybercriminals.
In 2014, dozens of K-12 education technology companies signed a national Student Privacy Pledge, vowing to maintain a “comprehensive security program” that would be upheld by the Federal Trade Commission (FTC). In the past, the FTC has penalized companies found violating children’s privacy on consumer platforms like YouTube and TikTok, but when it comes to the numerous reports of ed tech companies falling short of the Pledge, the agency has yet to take action. In May the FTC announced that regulators would be cracking down on ed tech firms violating the Children’s Online Privacy Protection Act, and according to FTC spokesperson Juliana Gruenwald Henderson, the agency is currently investigating a number of violations.
Analysis shows higher ed data at heightened risk.
Speaking of student privacy, cybersecurity and compliance company Proofpoint has provided an overview of its new research on the security measures of universities in the US, UK, and Australia, and the findings show that a whopping 97% of top learning institutions are putting students, staff, and other stakeholders at risk of email impersonation attacks. Based on Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of the top ten universities in each country, these schools are not taking adequate steps to block attackers from spoofing their email domains. DMARC is designed to protect domain names from being misused by cybercriminals by authenticating the sender's identity before allowing a message to reach its intended destination in three stages: monitor, quarantine, and reject. Proofpoint found that none of the US or UK universities surveyed had a Reject policy in place, and five of the US universities do not publish any level of DMARC record. Seventeen of the surveyed universities implemented a Monitor policy, while only four implemented a Quarantine policy. Ryan Kalember, EVP, Cybersecurity Strategy at Proofpoint, explains, “Email remains the most common vector for security compromises across all industries. In recent years, the frequency, sophistication, and cost of cyber attacks against universities has increased. It’s the combination of these factors that make it especially concerning that the premier universities in the U.S. are currently the most vulnerable to attack.”
Pennsylvania health network suffers data breach.
TribLIVE.com reports that Allegheny Health Network (AHN), an academic medical system based in the US state of Pennsylvania, has confirmed a recent data breach exposed the names and medical histories of eight thousand patients. The incident occured in May when an employee received a “malicious phishing email link” that compromised their account and gave the intruder access to personal patient data including names, birthdates, and driver’s license numbers, as well as sensitive health data like diagnoses, treatments, and medical record ID numbers. WPXI adds that a small fraction of patients might have had their Social Security numbers and financial data exposed. Upon discovery of the incident, AHN and parent company Highmark Health shut down the compromised email account and enlisted the help of a third-party forensics company. Impacted patients are being notified, and AHN spokesperson Dan Laurent stated that the healthcare system will use the incident as “a learning opportunity.”
Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Sentinel, wrote to point out that ransomware gangs steal data not only for extortion, but also for resale:
“Modern cyberattacks reliably leverage data exfiltration of sensitive information for extortion or data resale. One of the main reasons these types of attacks are so prevalent are that even in an otherwise well-secured organization, average unprivileged users can have access to mass quantities of sensitive data to perform their job duties. This means that an attacker that can compromise even a non-administrator account can do tremendous amounts of damage quickly. If normal users have access to large quantities of sensitive data, there’s no need for an attacker to perform secondary attacks like privilege escalation or pivoting. It really can be the proverbial “one click compromise” situation. It's a hard problem to solve but given the risk and prevalence of data exfiltration attacks, it’s one worth pursuing.
"One of the problems with data exfiltration attacks is they often piggyback on legitimate user access so there can be little in the way of suspicious actions to trigger alerts on. Two key differences between normal user and attack behavior that organizations can look to monitor are the rate and times of data access. For example, if a user that normally accesses 50 records a day suddenly begins accessing 500, it could be cause for alarm. Similarly, a user that typically accesses data from 8am to 5pm that begins logging in at 2am can signal the presence of an attacker.”
Erich Kron, security awareness advocate at KnowBe4, commented on the continuing prevalence of email phishing:
“Email phishing continues to be a top attack vector across all industries, unfortunately far too often it results in incidents such as this. Attackers especially like tricking people into entering their credentials on a fake login site, which they can then use to compromise the email account. In our modern day, so much business is done through email, not to mention the ability to reset other account passwords through our email, and cyber criminals know that having unfettered access to an account can lead to a windfall for them. To protect against the attacks such as this, educating users on how to spot and report phishing attacks, then allowing them to practice the skills through simulated phishing emails, is a key way to reduce risk. In addition, while not foolproof, ensuring that accounts have Multi-Factor Authentication (MFA) enabled can significantly improve the security of accounts, especially when credentials are stolen.”