Rows of high school students working on computers in a classroom.

‘Swiss cheese by design’: Why schools and universities are a prime target for cybercriminals

Over winter break in December 2023, Tam Nguyen got a call from an unexpected source – the Department of Homeland Security.

As the chief technology officer for Orange Unified School District in California, Nguyen was understandably skeptical. But the man provided details that verified he was phoning about a computer owned by the school district. And that computer, being used by a student at home, was interacting on the dark web with a command-and-control network, a system used by malicious hackers to communicate with and control compromised devices.

The computer luckily wasn’t connected to the school district’s network, and an administrator was able to remotely wipe its data using a Microsoft security app. But it was a close call. If the hackers had gotten on the district’s network, Nguyen knew, they could have potentially accessed sensitive personal or financial data or even launched a ransomware attack that could shut down the district’s network and wreak operational havoc.

Portrait of Tam Nguyen of Orange Unified School District.
Tam Nguyen.

“It’s a very real threat,” Ngyuen says. “Who knows what it could have done?”

His concerns are well founded. The education sector is the third most targeted industry globally, a Microsoft Cyber Signals report found, with the United States seeing the most cyberthreat activity. Educational organizations have characteristics that make them vulnerable – and especially appealing – to cybercriminals, who often test their approaches on educational systems before moving on to bigger targets like government agencies or corporations.

Educational institutions frequently handle financial data, health records and personal information about staff and students. They typically have small IT departments, employees across a broad range of operations and open networks used by students as young as 6 years old – an age when understanding passwords, let alone multifactor authentication, is unlikely.

“How do you secure that student?” Nguyen says. “We have 23,000 kids that have to be able to bring in their own devices, get onto the network and access resources. It’s a completely open network. We have to enable all this access and empower learning, and at the same time keep the network safe.

“It is extremely daunting. It is Swiss cheese by design,” he says. “It is just crazy.”

Photo from above of boy lying on striped carpet, working on laptop.
Educational institutions are tasked with securing open networks used by students as young as 6 years old.

Anne Pasco is the assistant superintendent of information, systems and technology for Polk County Public Schools in central Florida. One of the biggest cybersecurity challenges facing school districts, she says, is balancing the widespread use of online educational tools with their potential security risks.

“We want our students to be well-versed in digital tools, and there are an infinite number of digital tools. Teachers feel they have to go above and beyond to do what they can for students and want to use every tool that they believe might assist them,” Pasco says.

“But each of these tools can be a security risk for data privacy, and potentially, cybercrime.” 

Polk County Public Schools, the county’s second largest employer, has around 14,000 employees and 115,000 students at 130 schools. Pasco often wonders how – and how quickly – the district might recover from a catastrophic cyberattack.

Anne Pasco. (Photo courtesy of Anne Pasco)

“The question is, if you get knocked down, how fast can you get up?” she says. “Because at the end of the day, the students need to learn. That’s what worries me most.”

While Orange Unified escaped its close call, other targets haven’t been as lucky. The San Bernardino City Unified School District had a ransomware attack in 2019 that made its servers inaccessible and shut down its internet for weeks, locking staff out of their emails and leaving classes without Wi-Fi and online tools.

In a ransomware attack, malware is used to encrypt a target’s data, then the attacker typically demands payment for the decryption key needed to restore access to the data. In 2020, hackers extorted more than $1 million from the University of California at San Francisco School of Medicine so researchers could regain access to data the attackers had encrypted.

Cybercriminals also target educational institutions to access personal information that can be sold or used for identity theft and fraud. Data stolen from K-12 students, Nguyen says, has been used to open lines of credit that may go undetected, creating future problems for the unsuspecting victim.

“It was very lucrative for a while for bad actors to steal students’ or minors’ identities, because they can be utilized for so many years before anyone’s the wiser to it,” he says. “A student can graduate, go to get a credit card and get denied because their credit has been ruined for many years.”

‘A whole ecosystem’

Universities face their own unique cybersecurity challenges. Their culture emphasizes openness and information-sharing, but universities often hold highly sensitive intellectual property and work with government and industry on research projects in areas such as technology, engineering and nuclear science.

Four university students sit on a concrete structure outdoors.
University students, often living away from the watchful eyes of parents for the first time, are prime targets for cybercriminals.

Hackers sometimes use compromised accounts of university employees as “springboards” into broader campaigns against government and industry targets, the Microsoft report notes. State-sponsored attacks have also targeted universities. The Iranian Mabna Institute hacked 320 universities around the world over several years, stealing credentials, intellectual property and data.

University presidents are effectively CEOs of financial organizations, housing providers and health care entities, the Microsoft report notes, making them potential targets for attackers focused on those sectors. And university students, many of them living away from the watchful eyes of parents for the first time, are prime targets for cybercriminals.

Portrait of Jay James of Auburn University.
Jay James. (Photo courtesy of Jay James)

Students often use their university email accounts and passwords for other purposes like social media or banking, says Jay James, senior cybersecurity operations lead at Auburn University in Alabama.

Once a hacker gets into a student’s account, he says, they could attempt to access sensitive information on the university’s network and other applications the student uses.

“Now they have a lot they can do,” James says. “When you have these credentials from websites and applications that could have gotten compromised, that’s a big problem.”

At Oregon State University, students have been bilked out of up to $5,000 by bogus offers of employment, says David McMorries, the university’s chief information security officer. The scam typically works like this: A cybercriminal purporting to be an OSU employee emails students with a job offer, asking them to connect via personal email address or cell number if they’re interested.

Once away from OSU’s network, McMorries says, the scammer might ask the student to purchase gift cards and promise to reimburse them with extra money, or deposit a fake check in the student’s bank account, then make a withdrawal. McMorries knows of about a dozen OSU students who have fallen prey to the scam in the past 18 months and believes there are more.

Portrait of David McMorries of Oregon State University.
David McMorries. (Photo by Karl Maasdam)

“It’s fairly common,” he says. “And of course, I’m not aware of all the successful attacks. I’m only aware of the ones where somebody reports.”

Cyberattacks have become increasingly sophisticated and specialized over the past decade, McMorries says, with attackers often focusing on a particular tactic, whether that’s selling stolen credentials or launching phishing attacks.

“It feels like there’s a whole ecosystem that’s built up, because there’s money to be made at this,” he says. “And that’s incentivized attackers to a degree which, it wasn’t like this 10 years ago.”

QR codes have become another valuable tool for hackers targeting the education sector. Cybercriminals will embed the codes in emails, flyers or other communications. When scanned, the codes can lead to phishing websites or download malware onto the user’s device. Microsoft Defender for Office 365 blocks more than 15,000 emails daily targeting the education sector with malicious QR codes, according to Microsoft.

Outsmarting the adversaries

Many educational organizations are using security tools like Microsoft Defender, Sentinel and Entra, and measures such as multifactor authentication and passkeys, to fight cyberattackers. But 99% of identity attacks are password-based, according to the 2024 Microsoft Digital Defense Report, making informed users a crucial first line of defense.

“We like to say that bad guys don’t break in – they log in,” says Corey Lee, security chief technology officer for Microsoft Education. “Logging in and gaining access to the online environment is the first step for almost every adversary.”

The education sector, Lee says, can protect itself by adopting a “zero trust” approach, prioritizing threat-informed defense, tightening security measures and leveraging AI to enable better oversight.

Student working in front of a large computer monitor at Oregon State University's security operations center.
A student analyst works at Oregon State University’s security operations center. (Photo courtesy of OSU)

Educational organizations are tackling cybersecurity in numerous ways. Orange Unified School District, Nguyen says, has a “security in layers” approach that includes applying Microsoft security tools, requiring staff to use multifactor identification any time they log on to the internet and training employees in cybersecurity.

“We can put as many pieces of software and equipment in place as we want,” he says. “It’s not going to equal what a trained and vigilant employee can prevent.”

Oregon State University and Auburn University have increased their use of security tools and hired students to bolster their cybersecurity efforts. Polk County Public Schools prohibits staff and students from connecting their own devices to the district’s network and requires that any new digital tools go through an approval process to ensure they meet security requirements.

The school district created a cybersecurity curriculum for students and developed a guide for teachers on questions to ask vendors about cybersecurity. There’s a focus on making cybersecurity part of daily conversations, Pasco says, as a way of embedding it into the organizational ethos.

“We approach cybersecurity by making sure it’s part of our culture,” she says. “Cybersecurity is just learning that this is the way we look at the world and the way we approach the world.”

Top photo: Students work on computers in a high school classroom in the Orange Unified School District. (Photo courtesy of Orange Unified School District)

Tags: