At a glance.
- High Court finds UK immigration officers tricked migrants into giving up their phones.
- Breach of school admin platforms exposes data of thousands of New York students.
- New York school district falls prey to ransomware attack.
- Detention leads to data theft.
- Employment fraud maintains its Covid-driven high levels.
High Court finds UK immigration officers tricked migrants into giving up their phones.
The UK’s High Court has ruled that the Home Office acted unlawfully in extracting data from mobile phones seized from immigrants. Sky News reports that in a program dubbed Project Sunshine, immigration officers abused their powers to covertly confiscate the phones of migrants crossing the English Channel in small vessels, telling the individuals they could be prosecuted if they did not hand over the passwords to their devices. The cases of approximately eight hundred fifty individuals are currently being investigated to determine if the officers violated privacy laws; if so, the agency could be fined £17 million. Clare Jennings, one of the lawyers who presented the case, stated, "Today's judgment provided much needed clarification as to the extent of immigration officers powers of search and seizure and confirmed beyond doubt that the Home Secretary's policy of seizing all mobile phones from small boat arrivals was unlawful."
Breach of school admin platforms exposes data of thousands of New York students.
In what could be the largest breach of US K-12 student data in history, the info of 820,000 former and current New York City public school students were exposed in a cyberattack on education services firm Illuminate Education. The California-based company, which was hacked earlier this year, develops school grading and attendance platforms Skedula and PupilPath and is under fire for allegedly erroneously claiming the company encrypts all student data. Department of Education spokesman Nathaniel Styer explained, “We are outraged that Illuminate represented to us and schools that legally required industry-standard critical safeguards were in place when they were not.” The breach resulted in a very disruptive, weeks-long shutdown of grading and attendance systems in January, and the hackers gained access to names, birthdays, ethnicities, home languages, and student ID numbers, as well details about special education services, class schedules, and free lunch programs. Doug Levin, national director of K12 Security Information Exchange, told the New York Daily News, “I can’t think of another school district that has had a student data breach of that magnitude stemming from one incident.”
New York school district falls prey to ransomware attack.
Also in New York state, Riverhead school district has begun notifying nearly 20,000 individuals that their data might have been compromised in a December cyberattack. The notification letter, which is being sent to former district employees and former and current students, refers to the incident as a ransomware attack and notes that names, family member names, addresses, and dates of birth were among the exposed data. “Together, we continue to investigate and closely monitor the situation. Additionally, we notified the Department of Homeland Security and the Federal Bureau of Investigation’s cybersecurity unit, IC3, of this incident. Further, we are taking steps to strengthen our security posture to prevent a similar event from occurring again in the future,” the notification reads. Though details about the attack are being withheld until the ongoing investigation is completed, school superintendent Augustine Tornatore explained that the attacker likely gained access to the district’s network through an email. Tornatore told RiverheadLOCAL, “It was a very different entry point into our system than other districts may have experienced. So this means that somebody paid this group…to specifically do this to Riverhead.”
Detention leads to data theft.
Meanwhile, in the state of Illinois, StateScoop reports that ransomware gang Vice Society has exfiltrated and published over three thousand documents stolen from the Griggsville-Perry School District. Though some of the documents appear to be enrollment lists that include student names, the majority of files are fortunately related to rather mundane school functions, like a 2014 detention slip given to an overly talkative student, and do not contain any personally identifiable information. Though such disciplinary notices are not protected under the Family Educational Rights and Privacy Act, the incident does highlight the danger in schools holding onto old data for too long. “It’s a breach that didn’t have to happen if data were routinely purged or moved offline to storage,” DataBreaches.net stated.
Tim Erlin, VP of strategy at cybersecurity company Tripwire, commented on the Willie-Suttonesque attraction schools have for cyber criminals:
“Educational institutions collect large amounts of personal data, and that makes them a target for attackers. Cybersecurity is one of the easiest problems to throw money at, especially in response to a breach, but it’s also a problem that is never solved by simply increasing budgets. In order to deploy cybersecurity technology to effectively solve problems, organizations need to have a deep understanding of the problem they’re actually trying to solve. When you outsource sensitive data to a third-party supplier, you’re not absolved of responsibility for protecting that data. It’s still your name that ends up in the headlines.”
Employment fraud maintains its Covid-driven high levels.
Proofpoint researchers report that employment fraud continues to appear at a high level, and that it disproportionately affects students at colleges and universities. "There are many variations of this threat including job offers as caregivers, mystery shoppers, administrative assistants, models, or rebate processors." The goal of employment fraud isn't usually direct theft from the victims, but rather either theft of identities or credentials, or the recruitment of victims into criminal activity as (for example) a money mule. Sherrod DeGrippo, vice president, threat research & detection at Proofpoint, summarized some of the research's implications: “These types of threats can cause people to lose their life savings or be tricked into participating in a criminal operation unknowingly. They are very concerning for universities especially, and Proofpoint detects and blocks thousands of employment fraud threats weekly that could harm their students and faculty.”