UC Berkeley breach: Universities increasingly targeted in cyberattacks

A recent cyberattack at the California state university highlights how the combination of vast quantities of personal information and lax online security have made educational institutions attractive targets for hackers.

Students and visitors walk across campus at the University of California Berkeley, on February 19, 2014 in Berkeley, Calif. Administrators at UC Berkeley announced on Friday that hackers infiltrated the school's financial system containing data on 80,000 students, faculty, and alumni.

Melanie Stetson Freeman/The Christian Science Monitor/File

February 29, 2016

The University of California at Berkeley is investigating a cyberattack on a university computer system that holds financial data for 80,000 people, from students and alumni to faculty and vendors.

The San Francisco Bay area university said on Friday that there is no evidence any information has been stolen, but that it has notified potential victims of the data breach, which include about half of the school’s current students, two-thirds of its active employees, and over 10,000 vendors who work with the school.

The attack on the system, which stores social security and bank account numbers, occurred in late December when the university was patching a security flaw in its financial management system, school officials said.

Democrats begin soul-searching – and finger-pointing – after devastating loss

The university frequently identifies similar hacking attempts, the school added. Indeed, the hack at UC Berkeley is just the latest in a series of large-scale cyberattacks on educational institutions. The combination of large stores of important data – from personal financial data to research and patents held by researchers – and often weak online defenses mean colleges and universities are attractive targets for hackers around the world, security professionals say.

From 2013 to 2015, 550 universities reported some kind of data breach, NBC reported last fall, and in 2014 only the health care and retail sectors reported more security breaches than the education sector, according to Symantec's Internet Security Threat Report. Recent targets have included the University of Connecticut and Johns Hopkins to the Maricopa County Community College District in Arizona. 

And the attacks aren't just one-off assaults from small-time hackers, cybersecurity analysts say. The University of Wisconsin has reported 90,000 to 100,000 attempts to penetrate its system per day from China alone, University Business reported in October. Last May, the FBI informed Pennsylvania State University of a security breach potentially effecting 18,000 students and faculty, as well as around 500 research partners. The university was able to trace the hack to China, and found that it might have been going on for two years.

But a number of factors make its particularly hard for colleges and universities to defend against cyberattacks. First, the transient nature of the student body means new devices are constantly entering and leaving the university system. The academic environment also typically encourages the free flow of information, leaving them more vulnerable to attack. Purdue University's chief information security officer told University Business that schools have resisted implementing strong digital security measures because "researchers want to collaborate with others, inside and outside the university, and to share their discoveries."

Educational institutions are also often hamstrung by tight budgets and a market for education software that is unprofitable and therefore uncompetitive.

They took up arms to fight Russia. They’ve taken up pens to express themselves.

"Most of the third-party companies that provide software to educational institutions, frankly, don't focus on security," Michael Borohovski, founder and CTO of Tinfoil Security, told NBC News. "If they don't have to spend money on security and can still win a contract, that is what they’re going to do."

UC Berkeley officials have informed law enforcement, including the FBI, of the attack on their system, and have hired a private company to investigate the attack.

"The security and privacy of the personal information provided to the university is of great importance to us," said Paul Rivers, the university's chief information security officer, in a statement. "We regret that this occurred and have taken additional measures to better safeguard that information."

Material from Reuters and The Associated Press was used in this report.