A cyber attack at the beginning of 2021 is being described by the University of Colorado’s President as “the largest, most complex incident involving data that the system has ever seen.” This exposure was caused by the breach of their third-party file sharing service, Accellion. The University was notified of the issue on January 25th and immediately suspended their use of the service until Accellion provided a security patch on January 28th. A forensic investigation led by the University’s Office of Information Security continues to conduct a manual review of all of the exposed data files to ensure that each affected party is notified and receives free credit monitoring.
Syracuse University is facing criticism after a university employee fell victim to a phishing email and exposed their credentials. Although the university locked the compromised account just three days later, it did not bring in an outside data security firm until well over a week after the incident occurred. The forensics firm was unable to confirm if files had been accessed at the conclusion of their investigation, and the University did not notify the potentially exposed parties until a month after the investigation was completed. State law required the institution to notify via U.S.mail, and the collection of the addresses, hiring of an outside notification service and set up of the credit monitoring service all took time. Students expressed concern that they initially thought the mailed notifications which were post-marked from Georgia were fraudulent as there was not an announcement directly from Syracuse. The University has also set up a task force to tighten up access and protection of sensitive information, increase cyber training for staff, and will also implement a two-factor authentication sign-in system for all faculty and staff.
The breach of fundraising and financial services vendor Blackbaud affected at least eighteen colleges and universities. These were confirmed to have had data exposed in the Blackbaud breach:
- De Montfort University
- University of Strathclyde
- University of Exeter
- University of York
- Oxford Brookes University
- Loughborough University
- University of Leeds
- University of London
- University of Reading
- University College, Oxford
- Middlebury College, Vermont
- West Virginia University
- New College of Florida
- Cheverus High School: Catholic High School Portland
- The Bishop Strachan School, Canada
- University of North Florida
- Ambrose University, Alberta, Canada
- Rhode Island School of Design, US
Attacks on the supply chain for higher education highlights the need to ask more questions about the security and notification process of vendors, and to take steps to lock down data with encryption, least privilege access and multi-factor authentication to verify that the data is not accessed by use of exposed credentials. Effective threat monitoring and access to trained incident response resources are also critical as no prevention is ever 100% effective.
