Why Does the Education Sector Need Cyber Crisis Tabletop Exercises?
Date: 17 June 2024
If you so much as glance at our monthly compilation of cyber attacks, ransomware attacks and data breaches, you’ll note one overwhelming fact. There’s one industry that’s never missing from the list of those targeted by cyber crime. And that’s the education sector.
This fact pretty much answers the question we ask in the title - Why do Educational Institutions need Cyber Attack Tabletop Exercises?
But the question, definitely, begs a more in-depth look at the urgency of cyber drills and enhanced cyber protection for educational institutions. And that’s exactly what we’re going to do through this blog. We'll also show you how to conduct effective cyber drills for your institution.
Additionally, You’ll find an exhaustive compilation of recent cyber attacks on Educational Institutions at the end of this blog. This list is meant to offer you a refreshed perspective on just how rampant cyber crime in the domain of education really is. It also offers a retrospective glance at the tactics and techniques of threat actors who regularly target this sector.
Further, understanding recent attacks in your industry can give you a good idea of the Incident Response strategies employed by your peers. You can then evaluate, with your team, what you thought worked well, what could have been done differently. The sum of these lessons learned can then be leveraged to improve, review and refresh your own cyber incident response plans.
Topics Covered:
- Why do Hackers Target Educational Institutions?
- How to Tailor Cyber Drills for this Industry?
- Top Cyber Tabletop Exercise Scenarios for the Education Sector
- Major Cyber Attacks on Academic Institutions 2023-2024
What Makes the Education Sector a Prime Target for Cyber Crime?
Before we delve into the best ways to curate effective Cyber Tabletop Exercises for the Education Sector, let’s look at what makes this industry such an attractive target for cyber criminals.
There’s a host of reasons why rookie hackers to expert ransomware gangs continue to attack schools, universities and other educational institutions. In our opinion, these are the three main ones:
- Wealth of Data: If it’s sensitive information a hacker is after, there’s tonnes of it in an educational institution. From personal data of students, alumni, staff to financial records of payments made by parents, health information on allergies and medications etc., schools and colleges often hold vast troves of information that can be exploited.
Apart from the shock value of leaking sensitive data of children and minors (which cyber criminals love), this data can also be used for financial fraud, identity theft and many similar malicious activities.
Institutions of learning also offer cyber criminals a large attack surface, especially since the COVID-19 pandemic. Extensive use of online learning platforms, remote access tools and use of personal devices for school work etc., all increase the entry points for attackers into an educational institute’s network.
- Low-hanging fruit: This is an unfortunate, general truth about the education sector - cybersecurity awareness and sophisticated security measures run low in supply. Most educational institutions will typically have lower budgets for IT infrastructure and cybersecurity controls compared with large government bodies or multinational organisations. This makes it much easier for cyber criminals to breach defences, infiltrate their systems and compromise data.
The high user turnover at educational institutions makes matters worse. With students graduating each year and new ones taking their places and a significant churn in teaching staff too, it’s difficult to keep a tight control on security protocols.
- Disruption and Theft of Intellectual Property: Like we said before, hackers love drama. A cyber attack at an academic institution leads to significant disruption and chaos. Classes can be disrupted, research work may be brought to a hold, important events may have to be cancelled.
Such disruptions may often put pressure on the institution of learning to negotiate with the attacker. One of the most compelling reasons for attacking universities and specialised learning institutions often is intellectual property theft. Advanced educational facilities will often have students working on cutting-edge technologies and confidential research projects.
Cybercriminals, including state-sponsored actors, may target these institutions to steal research data or intellectual property for competitive or geopolitical advantages.
Given the above reasons, it’s clear that institutions of learning can be very lucrative and easy-to-breach targets for cyber attackers. And this is precisely why entities in this sector require regular Cyber Attack Tabletop Exercises.
Tailoring Cyber Attack Tabletop Exercises for the Education Sector
Cyber Crisis Tabletop Exercises have to be sector-specific and extremely relevant no matter the industry. However, for the education sector, the cyber drill must be even more nuanced.
One has to keep in mind that the data that may be exposed in a cyber attack in this industry can be highly sensitive as it will belong to minors in many cases. Further, attacks on institutions of learning can disrupt classes, teaching and research, directly impacting the academic and even career progression of many students.
The Cyber Tabletop Exercise has to take into consideration the fact that many people in-charge of responding to the attack or managing crisis communications may be entirely non-technical. Therefore, the cyber drill scenario must speak to them and elicit the right responses.
Collaboration is key for any cyber exercise but particularly so for one in the education space. When done correctly, cyber tabletop exercises can massively improve communication and coordination among different departments and stakeholders during a cyber incident. This collaboration is critical for an effective and timely response to cyber threats.
Such collaboration also results in a better cybersecurity culture for the entire institution. Once teachers and administrators understand the current cyber threat landscape and enforce better cybersecurity practices, the effect trickles down to all students using institutional or personal devices.
In the next section, we look at some of the top Cyber Crisis Tabletop Exercise Scenarios that educational institutions must focus on.
Cyber Tabletop Exercise Scenarios for the Education Sector
The key to a successful Cyber Attack Tabletop Exercise is the scenario it is based on. The scenario must be curated specifically for your business and industry.
In the case of Cyber Drills for the Education sector, here are a couple of scenarios we always recommend our clients rehearse. These cyber attack scenarios are not only relevant for academic institutions but are also the ones that occur most commonly in this sector based on historical data.
- Phishing Campaign: Very often, an attack on a school or university begins with a phishing email. Like we discussed earlier, cybersecurity awareness levels can often be lower in this industry. Therefore, an unsuspecting member of the staff or even a student, might click on a suspicious email attachment or link. This can jeopardise the entire institution’s network. A phishing campaign can also compromise user credentials or unsecured passwords.
While rehearsing this scenario, make sure there is adequate discussion about cybersecurity hygiene and the importance of using 2FA and strong passwords.
- Ransomware Attack: Simulating a ransomware attack would typically involve critical data being encrypted. This would be followed by the attacker demanding payment for decryption. A ransomware attack can also bring the online systems of the institution to a halt, potentially disrupting teaching, research work, administrative tasks etc.
Focus on how your educational institution will deal with this disruption while simultaneously containing the situation. Who will lead communication with stakeholders, parents and students? And always remember, it’s never ever recommended to negotiate with ransomware attackers. There’s no honour amongst thieves in the world of cyber crime.
- Data Breach: A data breach scenario is straightforward - sensitive student and staff information is compromised. Now you need to practise for identifying the breach and notifying affected individuals and the appropriate authorities. It is also imperative to deliberate over measures that can be implemented at your institution to prevent such incidents from actually occurring.
Cyber Tabletop Exercises created using the above scenarios will give you a clear picture of your cyber resilience. How prepared are you for an actual attack? Do you have an effective Cyber Incident Response Plan? What is the level of coordination and collaboration amongst the different departments? Do you have necessary security measures in place to prevent rudimentary ransomware attacks and phishing attacks?
In the next section, we look at major attacks on educational institutions in the recent past. This list, too, will give you a historical overview of the most common tactics and techniques used by cyber criminals in your industry and how your peers mitigated the damage (or not).
Recent Cyber Attacks on Educational Institutions 2023-2024
Event Date |
Educational Institute |
Incident |
Threat Actor |
Impact |
Source |
May 29, 2024 |
North American University |
Free Piano phish targets American university students, staff |
Unknown |
A large-scale phishing campaign is using an unusual lure to earn at least $900,000 by tricking email recipients into believing they're about to receive a baby grand piano for free. |
|
May 08, 2024 |
University System of Georgia |
University System of Georgia Says 800,000 Impacted by MOVEit Hack |
Clop Ransomware (Under MOVEit) |
University System of Georgia notified 800,000 individuals that their personal and financial information was compromised in the May 2023 MOVEit hack. |
|
April 04, 2024 |
University of Winnipeg |
Thousands of staff, students have sensitive data stolen in University of Winnipeg hack |
Unknown |
The University of Winnipeg in Canada has confirmed that hackers stole sensitive information from the institution in an incident that took place in late March, affecting former and current students and staff. |
|
February 20, 2024 |
Prince George’s County Public Schools (PGCPS) |
DC-area school system says data of 100,000 people affected in ransomware attack |
Unknown |
Prince George’s County Public Schools in the Washington, D.C., suburbs said the personal information of nearly 100,000 people was breached by a ransomware gang right before classes started in the fall. According to a regulatory filing, the district school determined that “personal information was included in the potentially impacted data set.” |
|
January 18, 2024 |
Kansas State University |
Kansas State University says cyber attack disrupted IT network and services |
Unknown |
Kansas State University (K-State) announced it was managing a cybersecurity incident that has disrupted certain network systems, including VPN, K-State emails, and video services on Canvas and Mediasite. |
|
November 1, 2023 |
California community college Río Hondo |
California community college Río Hondo deals with a cybersecurity incident. |
LockBit Ransomware |
Río Hondo College in Southern California is dealing with a cybersecurity incident that limited campus functions for days before most services were returned. The school did not identify the disruptions as related to cyber attacks, but the LockBit ransomware gang added the school to its list of victims, giving officials until November 20 to pay an undisclosed ransom. |
|
October 27, 2023 |
Stanford University |
Stanford University is investigating a cyber attack after ransomware claims |
Akira ransomware gang |
The ransomware gang claimed it attacked Stanford University and stole 430 gigabytes of data. |
|
October 23, 2023 |
University of Michigan |
University of Michigan employee, student data stolen in cyber attack |
Unknown |
The University of Michigan said in a statement that they suffered a data breach after hackers broke into their network in August and accessed systems with information belonging to students, applicants, alumni, donors, employees, patients, and research study participants. |
|
September 3, 2023 |
University of Sydney |
University of Sydney data breach impacts recent applicants |
Unknown |
In the data breach announcement, the university said that incident had a limited impact and the preliminary investigation found no evidence that local students, staff, or alumni have been impacted. |
|
June 9, 2023 |
University of Manchester |
University of Manchester says hackers ‘likely’ stole data in cyber attack |
Unknown |
University confirmed that some of its systems had been accessed by an unauthorised party and data may have likely been copied. |
|
May 10, 2023 |
Bristol Community College |
Bristol Community College suffers data breach, thousands affected |
Unknown |
Bristol Community College has disclosed a data breach that compromised more than 50,000 Social Security numbers. |
|
May 03, 2023 |
Bluefield University |
Ransomware gang hijacks university alert system to issue threats |
Avos ransomware |
The Avos ransomware gang hijacked Bluefield University's emergency broadcast system, "RamAlert," to send students and staff SMS texts and email alerts that their data was stolen and would soon be released. The University disclosed to students and staff that they had suffered a that impacted the IT systems, causing all examinations to be postponed. |
|
April 06, 2023 |
Open University of Cyprus |
Medusa ransomware claims attack on Open University of Cyprus |
Medusa ransomware |
The Medusa ransomware gang claimed a cyberattack on the Open University of Cyprus (OUC), which caused severe disruptions to operations. The ransomware group posted OUC on its data leak site, giving the institute 14 days to respond to its ransom demands. The hackers asked for $100,000. The threat group set the same price for both deleting the data as well as for selling it to an interested party. |
|
February 01, 2023 |
Morgan Hill Unified School District |
Morgan Hill Unified School District discloses data breach |
Unknown |
Morgan Hill Unified School District in California has disclosed a breach that occurred when an employee’s email account was accessed without authorization between September 11 and October 11, 2022. |
Morgan Hill Unified School District Data Breach |
January 30, 2023 |
TUSD School District |
Cybersecurity incident shuts down TUSD internet, network services |
Unknown |
A cybersecurity incident on Tucson Unified School District’s technology network shut down the district’s internet and network services |
|
January 26, 2023 |
Stratford University |
Stratford University discloses ransomware attack. Multiple gangs take credit. |
REvil, Snatch Team, and Avos Locker |
REvil’s attack had been disclosed by REvil back in April of 2022. Snatch Team added their attack to their own leak site on August 17, presumably before the attack Stratford reported as occurring August 26. On January 15, 2023, Snatch Team dumped more than 50 GB of files from the school on their leak site. And Avos Locker started leaking the school’s data on September 7. |
|
January 21, 2023 |
Instituto Federal Do Pará |
Instituto Federal Do Pará Attack Claimed By BlackCat |
BlackCat |
The Instituto Federal Do Pará (IFPA), the public education institution in Brazil, was added to the leaks site of the AlphV (BlackCat) group on January 21 with a message saying, “The guys decided to ignore our ransom demands, so the data of their employees and students will be published and put up for sale”. BlackCat’s proofpack consists of screenshots from a directory of folders but without any contents or files. Some of the folder names appear to be individuals’ names. |
|
January 20, 2023 |
LA Unified School District |
LAUSD says Vice Society ransomware gang stole contractors’ SSNs |
Vice Society |
Los Angeles Unified School District (LAUSD), the second-largest school district in the United States, says the Vice Society ransomware gang has stolen files containing contractors' personal information, including Social Security Numbers (SSNs). |
|
January 19, 2023 |
Maple Ridge - Pitt Meadows School District No.42 |
More than 19,000 records released in B.C. school district data breach |
Unknown |
In a statement, School District 42 — which encompasses Maple Ridge and Pitt Meadows — said 19,126 records were publicly released in a breach that was first noticed in the afternoon of Jan. 17, 2023. The documents appear to have been uploaded to a popular hacker forum on Jan. 15. The records include first and last names, schools and departments, email addresses and students’ grades. |
|
January 13, 2023 |
Okanagan College in Kelowna, British Columbia |
BC college warns students and staff of potential data breach |
Unknown |
An "unrecognised external agent," forced the college IT team to shut down and disable network access across all of Okanagan College's campuses in Kelowna, Vernon, Penticton and Salmon Arm. |
|
January 9, 2023 |
Oxford University |
UK: Oxford University dating website for staff and students shut down after ‘huge data breach’ |
Unknown |
A dating website for Oxford University students has been accused of breaching student and staff privacy after revealing the name of everyone with a university email address. |
|
January 9, 2023 |
16 schools across Hull and Yorkshire |
Hackers demand £15 million ransom from Hull and Yorkshire schools after cyber attack |
Unknown |
Teachers at 16 schools across Hull and Yorkshire were unable to use their computers after hackers demanded a £15 million ransom. All 15 schools in the Hope Sentamu Learning Trust, which includes Hull secondary school Archbishop Sentamu Academy, were affected by the cyber attack. Hymers College, an independent school in Hull that charges fees of £13,000 a year, was also hacked. |
|
January 9, 2023 |
Des Moines Public Schools |
Des Moines Public Schools cancels classes after cybersecurity attack |
Unknown |
Des Moines Public Schools cancelled all classes after officials took the district's internet and network offline following what they described as "unusual activity" that was later determined to be an apparent cybersecurity attack. |
|
January 4, 2023 |
Queensland University of Technology |
Royal ransomware claims attack on Queensland University of Technology |
Royal Ransomware |
The Royal Ransomware gang has claimed responsibility for a recent cyber attack on the Queensland University of Technology and begun to leak data allegedly stolen during the security breach. |
|
January 3, 2023 |
University of Miami Health System |
University of Miami investigated a data breach |
Unknown |
The University issued a public notice to inform its patients and others that a security incident affected a limited number of UHealth – University of Miami Health System patients. |
|
January 2, 2023 |
Havana University |
Cuban University Websites Hacked |
Cuba Ransomware |
Anonymous Cuba began the year by attacking the security of a number of Havana University faculties’ webpages, posting caricatures of Cuban leaders on them, as well as photographs showing scenes of repression and offensive messages against Cuban president Miguel Díaz-Canel, calling for the end to dictatorship. |
|
January 1, 2023 |
Bristol Community College |
Bristol Community College's computer systems hacked in ransomware attack |
Unknown |
“The college has discovered a network interruption issue impacting onsite internet and network functions including email, Teams, shared document sites and information systems, for students and employees,” college officials said. |