2019 DBIR: Data Breaches in Educational Services

Education continues to be plagued by errors, social engineering and inadequately secured email credentials. With regard to incidents, DoS attacks account for over half of all incidents in Education.

Frequency

382 incidents, 99 with confirmed data disclosure

Top 3 patterns

Miscellaneous Errors, Web Application Attacks, and Everything Else
represent 80% of breaches

Threat actors

External (57%), Internal (45%), Multiple parties (2%) (breaches)

Actor motives

Financial (80%), Espionage (11%), Fun (4%), Grudge (2%),
Ideology (2%) (breaches)

Data compromised

Personal (55%), Credentials (53%) and Internal (35%) (breaches)

It’s in the syllabus

Anticipating the top pattern for Education each year is a bit like playing the "which shell is it under?" game.You know it’s (most likely) under one of three shells, but when you finally point to one, t he data proves you wrong with a deft statistical sleight of hand. There were three patterns in a statistical dead heat, and like the Netherlands’ women speed skaters in the 3000m, it was a dominant podium sweep. Miscellaneous Errors (35%) had a strong showing, because (spoiler alert) people still have their moments. Most of these errors are of the typical misdelivery and publishing error types that we have all come to know and love.

Web Application Attacks accounted for roughly one quarter of breaches in the Education vertical. This is mostly due to the frequent compromise of cloud-based mail services via phishing links to phony login pages. So, if you use such a service 24/7/...365 you might want to consider tightening up your password security, implementing a second authentication factor, and then turning off IMAP.

Everything Else, as previously stated, is more or less the pattern equivalent of a "lost and found" bin. It contains numerous incident types we frequently encounter but that do not provide enough granularity for us to place in one of the other patterns. For example, there are compromised mail servers, but it was undetermined if stolen web credentials were the point of entry. About half or more of these breaches could be attributed to social engineering attacks via phishing.

When known, the motivation is primarily financial, and is carried out mostly by organized criminal groups. There was a smattering of state-affiliated or cyber-espionage cases in this year’s data set, a reduction from the 2017 report as shown in Figure 49. This finding should not convince our readers that attacks seeking research findings and other espionage-related goals have gone the way of Home Economics in this vertical, but is instead more related to the number and type of incidents provided by our partners.

Aspectos que debes tener en cuenta

Clean out your lockers

Many of the breaches that are represented in this industry are a result of poor security hygiene and a lack of attention to detail. Clean up human error to the best extent possible – then establish a baseline level of security around internet-facing assets like web servers. And in 2019, 2FA on those servers is baseline security.

Varsity or JV?

Universities that partner with private Silicon Valley companies, run policy institutes or research centers are probably more likely to be a target of cyber-espionage than secondary school districts. Understand what data you have and the type of adversary who historically seeks it. Your institution of learning may not be researching bleeding-edge tech, but you have PII on students and faculty at the very least.

Security conformity

There are threats that (no matter how individualized one may feel) everyone still has to contend with. Phishing and general email security, Ransomware, and DoS are all potential issues that should be threat modeled and addressed. These topics may not seem new, but we still have not learned our lesson.

Educational Services