Lehigh Carbon Community College has reopened its campuses but a reported “IT disruption” that started nearly a month ago — which a school trustee labeled a data breach — has continued to affect internet and phone systems, leaving students and staff with unanswered questions about how best to protect themselves.
Joseph Squillace, an associate professor in Penn State’s department of privacy and cybersecurity informatics, offered perspective on what makes educational institutions vulnerable to cyberattacks and how students and staff can protect themselves:
Why are schools vulnerable to cyberattacks?
College students are profitable targets for hackers, Squillace said. Young adult students tend to have “brand new clean credit reports” that mean hackers can take advantage of students’ personal data to take out loans, open credit cards or commit health insurance fraud.
It also should not be underestimated how much valuable research and development data can be accessed through community college systems.
While top-tier research institutions might appear to be more attractive targets for hackers seeking access to cutting edge technology and research data, community colleges also handle large amounts of state-sponsored research and tend to have lower IT budgets and fewer cybersecurity protections, Squillace said.
How can students and staff protect themselves?
Proactive “digital hygiene” is the key to protecting your data, even in the case of a system breach that might expose your personal information, Squillace said. Here are some tips:
• Don’t reuse passwords for multiple accounts. Consider a password manager — but be careful to research whether or not that application stores your passwords in the cloud, as those systems are also vulnerable to hackers. Password managers that store data on a users’ individual device are more secure.
• Change passwords as soon as possible when notified of a potential breach. Even if a students’ school account is compromised, they can protect bank accounts and other sensitive accounts by promptly changing passwords on those accounts and setting up notifications to ensure that suspicious activity is flagged.
• Set up two-factor authentication whenever possible, especially on sensitive accounts. This is an important way to prevent access that also ensures account holders receive notice if someone else tries to access their account.
• Don’t forget to change the passwords on the applications that are linked under your school single-sign-on account. Applications such as Microsoft Teams, Zoom, Canvas, Moodle and Quizlet can all offer hackers an easy way to use a third-party site to access the data in your school account.
• Be careful with your social media footprint. Posts that reveal your personal habits, such as where you like to hang out on the weekend, can make social media users vulnerable to social engineering attacks in which a bad actor uses personal information to make their communications sound more genuine and up the odds that a phishing or scam attempt will succeed.
• Exercise extreme caution when clicking on links delivered through text or email. Hover over the link to determine where it is directing you. Recognize that IT departments and legitimate organizations like banks will not ask you to confirm or edit your password information via text, email or phone call.
• Avoid public Wi-Fi. The use of public Wi-Fi networks makes your data vulnerable to hackers. A community college campus that is physically open to the public is particularly vulnerable to bad actors who could easily access campus in order to set up “evil twin” networks that capture data being sent over public Wi-Fi.
• If using your own hotspots, make sure they are password protected (and don’t allow others to access your hotspots unless you specifically share the password with them). This could be a large issue at LCCC, as emails sent to students told students to be prepared to use their personal devices when returning to campuses that did not yet have restored Wi-Fi.
• Don’t use pirated software. Free textbook downloads or “cracked” applications that offer free versions of popular software are tempting for college students, Squillace said, but should be avoided as they may be infected with viruses or malware.
• Freeze your credit bureau accounts. This is free and does not prevent you from accessing credit, but rather means you will be notified if someone else tries to take out a loan or open a credit card using your information.
Why don’t schools disclose attacks?
State law requires public institutions, including schools, to disclose data breaches that could cause harm, but there are several reasons why a school might delay notification, limit what is disclosed or decline to confirm a cyberattack, Squillace said.
Schools that don’t confirm suspected data breaches may have never received the kind of “proof of life” ransomware demands that prove a hacker is actually in possession of a school’s data, Squillace said.
Without any kind of concrete evidence of what data fell into hackers’ hands, it can be extremely difficult to determine how long hackers might have had access to a system and what data was viewed or downloaded, Squillace added.
The lack of certainty around how long bad actors had access to a system can also make it hard to decide which backup versions to restore, Squillace said.
