From Ivy League Universities to Personal Data: Academic Data Breaches are at an all-time high!

It took nothing more than a phone call with a familiar and convincing voice, a malicious actor impersonating as an internal contact, and just the right insider on the other end of the line. This is how a skilled hacker got their ‘Vish’.

Meet the brand new cybercriminal business model, ‘Vishing’.

The act of impersonating a familiar entity to garner pity or fear or even sympathy to gain critical information like bank account numbers, OTPs, passwords and more.

Hackers and attackers are upgrading to this convincing scam as a form of weaponised persuasion.

Familiarity – a psychological loophole that easily cuts through firewalls, BitLocker, antiviruses and sinks its claws deep into naive human trust. This is the beginning of all breaches, scams and ransom attacks. Because familiarity cements trust, and digital trust translates into something like ‘I know this person…let me give them what they are asking for’.

The more familiar your digital interactions become, the less suspicious you become, and that is exactly the kind of treats that these attackers feast on.

In this article, we will dive into how an elite university was prey to something as simple as a phone call with a familiar voice on the other end of the line.

The IVY league university is home to 20,000 faculty and staff, 24,500 students in both undergraduate and postgraduate programs, and 400,000 alumni around the world.

With Harvard, databases of alumni, donors, students and faculty records were breached.

This screams one loud message, and that is: these hackers are not just trying to tap into financial data, but they want identities, networks, influence, leverage, and details of important student profiles.

Universities and other forms of educational institutions carry a wealth of information when it comes to personal histories, notable alumni details, and family networks, and that is just the personal part of it.

As for the actual price, these institutions are a goldmine of datasets carrying information regarding research documents, experimental outcomes, grant records and communications, academic archives, and other highly confidential internal communications and information.

The breach exposed contact details, biographical data, email addresses, phone numbers, home and business addresses, and other sensitive information. The breach also included details of the alumni spouses, contact details for current students and parents.

Financial records, passwords and SSN were not leaked, but information about donations, gifts, information related to fundraising and alumni engagement activities where exposed.

Harvard managed to block any further access to prevent any kind of unauthorised activity, and they have turned to a third-party cybersecurity partner and law enforcement to prevent any further incidents.

While Harvard was attacked twice in the same year, other Ivy League universities, such as the University of Pennsylvania and Princeton, also faced similar breaches.

The University of Pennsylvania Data Breach:

The University’s response to the attack:

The infected systems were promptly locked down to stop further intrusion or any kind of unauthorised access. They turned to a third-party cybersecurity firm, CrowdStrike, to investigate the incident. Penn further reported this incident to the FBI and has now also implemented the necessary security patches issued by Oracle to resolve the exploited vulnerabilities.

The Princeton Breach:

The University’s response to the attack:

Well, this year’s breach can be next year’s impersonator.

It is never about what they possess; it is always about what they could do with all that data. It's about how they use that to build something dangerous tomorrow.

Stolen data can either be sold or held for ransom, and that is just skimming on the surface level of what could actually unfold.

When a hacker attacks an educational institution, they are not looking at just siphoning out data. They want leverage. They steal data because it is a multi-use asset. That data can be used, sold, used for impersonation, held as ransom or even worse, weaponised and automated.

With universities in focus, especially Ivy League universities, the student and faculty data that is exploited is of high value. And this is because these students or faculty are not mere regular individuals. The data also consists of information about donors, alumni, professors, researchers, and donors who come with high social and financial capital.

Today, a single phishing email, or an email containing some enticing information, could expose your entire bank account, be it a business account, personal or a joint account. This could even manipulate your login request, or even go on to hijack digital identities tomorrow.

And that is precisely why encryption is important.

With encryption, even if a breach happens, at most, they only see your files, but they can never open them and alter the information.

Once academic data or any data for that matter is exposed or compromised, it is then taken hostage to cyber marketplaces where it is either sold, copied, multiplied, duplicated indefinitely. This means leaked data is never truly gone.

While it seems absolutely harmless, this is just cannon fodder for targeted cybercrimes and personalised harassment. The real fun for hackers is that it is not just raw data that they are playing with. They are playing around with the credibility attached to it.

With university-based data breaches, attackers are impersonating trusted people in the university’s system to make phishing attempts and use socially enriched tactics to look super convincing.

Through this, in the end, the greatest risk is not exposure of information. It is using trust as a weapon, familiarity as a perfect loophole, using connection to manipulate access, finances, and using a simple professional relationship that is familiar to an insider to take complete control.

All of this and more under the guise of a legitimate academic connection.

Encryption is no longer an option, and it is most definitely not a fire drill that happens once in a while. It needs to be a daily practice among organisations to prevent serious breaches.

Be it encryption for business or just for personal use, it is an investment in your peace of mind and a perfect protection for your identity.

Encryption, if implemented properly, basically means even if someone were to access your device or drive, they will be left with nothing but unreadable and useless ciphertext. For instance, the AES-256-bit encryption is one of the strongest, unbeatable and trusted types of encryption present. And the best part? AxCrypt offers you this, along with layered security like password protection and data breach prevention.

Whether you want secure file sharing options for documents like your property papers, legal documents, research material, and other documents, this encryption is a silent but loud shield protecting your privacy and peace of mind.

Not all attacks need to be a digital loophole. Some just need a gullible person on the team or a familiar voice that is on the other end of the line.

Here is a simple rule to spot a vishing attack from taking over you.

Got a random call at work? Seems quite familiar, but something seems off? Just verify that call with a simple, harmless, and personal question that only you and the other person who is being impersonated know.

For example...

Impersonator pretending to be Mr David: Hey Jane… I need you to open my laptop and send me the “ABC” file immediately.

This is EXACTLY where the breach unfolds.

Either Jane, from accounts, can give the impersonator the file and get the company bankrupt, OR she can prevent a Vishing attack and get promoted with a really good hike for this move she pulled.

Jane: Sure. I’ll do that. But hey, how did your dentist appointment go? Did they remove the tooth?

Now the impersonator will answer, just to play along until they get their hands on what they are looking for. But Jane is smarter. She hangs up immediately and informs Mr David, who is on vacation in Bora Bora with his family.

Now this is only merely an example of how your instincts, along with a zero-knowledge encryption software, could save you from being the next breach headline.