This article originally appeared in SiliconANGLE on April 2, 2019.
The records of about 1.3 million students and faculty of the Georgia Institute of Technology have been stolen in the latest hack of an educational institution.
The data accessed and stolen included the names, addresses, Social Security numbers and birthdates of current and former faculty, students, staff and student applicants.
According to a press release Tuesday from Georgia Tech, as soon as the school “learned of the illegal access” it “immediately corrected the impacted application.” Details of how the hack took place or which specific systems were exploited, were not shared.
Dan Tuchler, chief marking officer at SecurityFirst Corp., didn’t hold back, telling SiliconANGLE that it’s ironic that a university with a high ranking in computer science and that offers courses in cybersecurity was hacked.
“This in a state which has had privacy regulations in place – the Georgia Personal Identity Protection Act – since 2007,” Tuchler said. “This is a clear example of the need for encryption of personal data. Hackers always find a way in and they need to be stopped before they get the personal data.”
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi Inc., said that the breach is just one more example of the security failures plaguing many organizations.
“Unfortunately, the push to encrypt more data has some unintended consequences for organizations that don’t have a program in place to manage machine identities effectively,” Bocek said. “The problem is that cyberattackers can hijack machine identities and use them to hide malicious activities. Most organization don’t have the technology necessary to make it possible for them to figure out which machine identities should be trusted and which should not.”
Mike Bittner, digital security and operations manager at The Media Trust, shed some more light on the form of the attack, saying that it likely happened because web apps are notorious for SQL and cross-site scripting vulnerabilities.
“Web app vulnerabilities often lie within the server themselves, which can be infiltrated through brute force attacks and password guesses,” Bittner said. “Bad actors can manipulate the source code, inject rogue code via third-party vendor libraries. Since these third parties operate outside the university’s IT infrastructure, these attacks are harder to monitor and therefore easier to pull off.”
The problem, he added, is that once the server is compromised, hackers often create second-day back doors to get in later if the front door gets shut. “Developers of these web apps should be held to a higher standard given risk that the sensitive information they process and store can be exposed,” he said.