Desde universidades de la Ivy League hasta datos personales: ¡Las brechas de datos académicos están en su punto más alto!

No hizo falta nada más que una llamada telefónica con una voz familiar y convincente, un actor malicioso haciéndose pasar por contacto interno y la persona adecuada al otro lado de la línea. Así es como un hacker hábil consiguió su 'Vish'.

Conoce el nuevo modelo de negocio cibernético, 'Vishing'.

El acto de hacerse pasar por una entidad familiar para generar lástima, miedo o incluso simpatía y obtener información crítica como números de cuenta bancaria, códigos de acceso de un solo uso, contraseñas y más.

Hackers y atacantes están mejorando a esta convincente estafa como forma de persuasión utilizada como arma.

Familiaridad : una laguna psicológica que fácilmente atraviesa cortafuegos, BitLocker, antivirus y clava sus garras en ingenua confianza humana. Este es el comienzo de todas las brechas, estafas y ataques de rescate. Porque la familiaridad afianza la confianza, y la confianza digital se traduce en algo como "Conozco a esta persona... Déjame darles lo que piden".

Cuanto más familiares se vuelven tus interacciones digitales, menos sospechoso te vuelves, y ese es precisamente el tipo de manjar con el que se deleitan estos atacantes.

En este artículo, profundizaremos en cómo una universidad de élite fue víctima de algo tan simple como una llamada telefónica con una voz familiar al otro lado de la línea.

The IVY league university is home to 20,000 faculty and staff, 24,500 students in both undergraduate and postgraduate programs, and 400,000 alumni around the world.

With Harvard, databases of alumni, donors, students and faculty records were breached.

This screams one loud message, and that is: these hackers are not just trying to tap into financial data, but they want identities, networks, influence, leverage, and details of important student profiles.

Universities and other forms of educational institutions carry a wealth of information when it comes to personal histories, notable alumni details, and family networks, and that is just the personal part of it.

As for the actual price, these institutions are a goldmine of datasets carrying information regarding research documents, experimental outcomes, grant records and communications, academic archives, and other highly confidential internal communications and information.

The breach exposed contact details, biographical data, email addresses, phone numbers, home and business addresses, and other sensitive information. The breach also included details of the alumni spouses, contact details for current students and parents.

Financial records, passwords and SSN were not leaked, but information about donations, gifts, information related to fundraising and alumni engagement activities where exposed.

Harvard managed to block any further access to prevent any kind of unauthorised activity, and they have turned to a third-party cybersecurity partner and law enforcement to prevent any further incidents.

Aunque Harvard fue atacada dos veces en el mismo año, otras universidades de la Ivy League, como la Universidad de Pensilvania y Princeton, también sufrieron brechas similares.

La brecha de datos de la Universidad de Pensilvania:

The University’s response to the attack:

The infected systems were promptly locked down to stop further intrusion or any kind of unauthorised access. They turned to a third-party cybersecurity firm, CrowdStrike, to investigate the incident. Penn further reported this incident to the FBI and has now also implemented the necessary security patches issued by Oracle to resolve the exploited vulnerabilities.

The Princeton Breach:

The University’s response to the attack:

Well, this year’s breach can be next year’s impersonator.

It is never about what they possess; it is always about what they could do with all that data. It's about how they use that to build something dangerous tomorrow.

Stolen data can either be sold or held for ransom, and that is just skimming on the surface level of what could actually unfold.

When a hacker attacks an educational institution, they are not looking at just siphoning out data. They want leverage. They steal data because it is a multi-use asset. That data can be used, sold, used for impersonation, held as ransom or even worse, weaponised and automated.

With universities in focus, especially Ivy League universities, the student and faculty data that is exploited is of high value. And this is because these students or faculty are not mere regular individuals. The data also consists of information about donors, alumni, professors, researchers, and donors who come with high social and financial capital.

Today, a single phishing email, or an email containing some enticing information, could expose your entire bank account, be it a business account, personal or a joint account. This could even manipulate your login request, or even go on to hijack digital identities tomorrow.

And that is precisely why encryption is important.

With encryption, even if a breach happens, at most, they only see your files, but they can never open them and alter the information.

Once academic data or any data for that matter is exposed or compromised, it is then taken hostage to cyber marketplaces where it is either sold, copied, multiplied, duplicated indefinitely. This means leaked data is never truly gone.

While it seems absolutely harmless, this is just cannon fodder for targeted cybercrimes and personalised harassment. The real fun for hackers is that it is not just raw data that they are playing with. They are playing around with the credibility attached to it.

With university-based data breaches, attackers are impersonating trusted people in the university’s system to make phishing attempts and use socially enriched tactics to look super convincing.

Through this, in the end, the greatest risk is not exposure of information. It is using trust as a weapon, familiarity as a perfect loophole, using connection to manipulate access, finances, and using a simple professional relationship that is familiar to an insider to take complete control.

All of this and more under the guise of a legitimate academic connection.

Encryption is no longer an option, and it is most definitely not a fire drill that happens once in a while. It needs to be a daily practice among organisations to prevent serious breaches.

Be it encryption for business or just for personal use, it is an investment in your peace of mind and a perfect protection for your identity.

Encryption, if implemented properly, basically means even if someone were to access your device or drive, they will be left with nothing but unreadable and useless ciphertext. For instance, the AES-256-bit encryption is one of the strongest, unbeatable and trusted types of encryption present. And the best part? AxCrypt offers you this, along with layered security like password protection and data breach prevention.

Whether you want secure file sharing options for documents like your property papers, legal documents, research material, and other documents, this encryption is a silent but loud shield protecting your privacy and peace of mind.

Not all attacks need to be a digital loophole. Some just need a gullible person on the team or a familiar voice that is on the other end of the line.

Here is a simple rule to spot a vishing attack from taking over you.

Got a random call at work? Seems quite familiar, but something seems off? Just verify that call with a simple, harmless, and personal question that only you and the other person who is being impersonated know.

For example...

Impersonator pretending to be Mr David: Hey Jane… I need you to open my laptop and send me the “ABC” file immediately.

This is EXACTLY where the breach unfolds.

Either Jane, from accounts, can give the impersonator the file and get the company bankrupt, OR she can prevent a Vishing attack and get promoted with a really good hike for this move she pulled.

Jane: Sure. I’ll do that. But hey, how did your dentist appointment go? Did they remove the tooth?

Now the impersonator will answer, just to play along until they get their hands on what they are looking for. But Jane is smarter. She hangs up immediately and informs Mr David, who is on vacation in Bora Bora with his family.

Now this is only merely an example of how your instincts, along with a zero-knowledge encryption software, could save you from being the next breach headline.