Clop, a Russian ransomware group hacked into MOVEit servers in August, committing the most extensive data theft this year, possibly the next greatest cyberattack to be marked down in history. The breach exposed the shortcomings of the American education system’s ability to adequately protect student information online.
Many organizations and institutions implement MOVEit in their systems as a file-sharing tool. Progress Software, the company behind the MOVEit application, notified the United States educational nonprofit organization, the National Student Clearinghouse, about the data breach in May.
In the same month, MOVEit listed on the Common Vulnerabilities and Exposures database that a Structured Query Language injection vulnerability was found. It is one of the most common vulnerabilities exploited for malicious web-hacking purposes.
Professor Doctor Kutub Thakur, Ph.d. in computer science with specialization in cybersecurity, gave his expert commentary on the attack vector.
“SQL Injection is a code injection technique that might destroy your database, the collection of data,” Thakur said. “You and I as an individual, all of our data are collected to a depositary. This depositary needs to be protected. What an SQL injection does is destroy the database completely.”
According to Help Net Security, the National Student Clearinghouse, or NSC, provides educational reporting, data exchange, verification and research services to around 3,600 North American universities and 22,000 high schools. Many tech experts have emphasized the insufficient background checks in educational institutions and public organizations for the thirdparty vendors they hire.
In a report by Emsisoft, many organizations were exposed to the MOVEit breach by multiple vendors. This high exposure is true in the education sector with academic institutions impacted by NSC, the Teachers Insurance and Annuity Association of America-College Retirement Equities Fund, all of which used the vendor PBI Research services that utilized MOVEit.
Regarding the recent malware incident at Baruch College, Thakur told The Ticker that government regulatory agencies already encourage the education system to follow mitigation techniques and procedures for cyber-attacks.
“You know it’s not only Baruch, in any education system you need to follow general recommendations of ransomware mitigation techniques that is being given by various types of government agencies such as CISA, Department of Homeland Security and the Federal Bureau of Investigation,” Thakur stated.
Additionally, universities must legally follow the Family Educational Rights and Privacy Act which protects the privacy of students by limiting who has access to their school records.
Despite these legal protections, recent incidents have emphasized the education system’s room for improvement in enforcing these cybersecurity policies. For example, NSC discovered that cybercriminals had accessed school records containing students’ personal information including names, birth dates, Social Security numbers and student identification numbers on June 20.
Months later in September, 900 more colleges in New York City were warned about the cybersecurity incident. Baruch was one of the listed victims of the cyberattack.
Thakur recommended mitigation and prevention plans to prevent future breaches of personal information and malware attacks.
He also suggested institutions incorporate regular updates, installations of interior software on hosts and regularly train employees on security skills.
Moreover, an institution’s cybersecurity team should identify authorized and unauthorized devices and software. This is done through comprehensive vulnerability scanning, proper management, regular security risk analysis and implementing regular backups.
All institutions must go through the data selection process, where every organization has its own set of policies to follow while selecting their vendors to do business with. Organizations are advised to double-check partnered vendors to ensure the security of their systems.
“Having policies and procedures without enforcement of it is meaningless,” Thakur said. “You need to make sure first and foremost enforcement of policies goes through a comprehensive background check and that there’s a robust cybersecurity response team.” Thakur currently teaches “CIS 4560: Ethical Hacking” at Baruch.
It is crucial now more than ever for students to practice good cybersecurity hygiene with unexpected security breaches rising. One must be vigilant about protecting their information while using public sites and applications.
Some best practices include routinely changing passwords, only using secured websites and taking caution when waiving rights to personal information.