Dive Brief:
- University email addresses with .edu credentials are particularly vulnerable to cyber theft, as students can receive significant discounts in online purchases, according to the Digital Citizen Alliance's latest report, "Cyber Criminals, College Credentials, and the Dark Web."
- Authors looked at the availability email credentials from the 300 largest U.S. colleges and universities, and found that 13,930,176 email addresses and passwords belonging to faculty, staff, students were available for purchase on sites in the dark web, which is an area of the Internet where illicit goods and services can be sold and bought. Acquisition of these credentials can have serious consequences for members of the institution and the institution itself, as they are more often than not being used for illegal activity.
- The report found that the University of Michigan had the most credentials offered on the dark web, followed by other large state schools — Penn State, University of Minnesota, Michigan State, Ohio State, and University of Illinois. In another statistic, MIT had the highest ratio of stolen email accounts to user, meaning that the same email can be sold multiple times, and it was followed by other technical schools Cornell, Carnegie Mellon, and Virginia Tech — though collectively, the most email addresses were stolen from schools in California.
Dive Insight:
Higher education administrators are already seeing the importance of enhancing cybersecurity on campus and working with IT departments in order to ensure that information on students and faculty is being kept safe. Some tactics that can be used for greater security include having IT leaders offer training and teaching to university members on how data breaches occur and can be prevented, as well as showing the effects of weak passwords. By helping campus members know how to identify and report suspicious emails, many administrators are already taking important first steps at creating a cyber-safe zone.
However, the trouble with cybersecurity is that threats are often difficult to anticipate. Washington State University, for instance, just had to send out an email to one million people that their information may have been accessed, as a backup hard drive with student and faculty data spanning 15 years was stolen from a safe by thieves. Such events reflect how important it is for CIOs to train university members on protecting their information, but also how the whole cybersecurity infrastructure may need to be updated to really prevent a data breach — this could come from transitioning over to a third party cloud service provider, though even this option may not be entirely safe.
The report from Digital Citizens Alliance only further highlights how CIOs and other higher education administrators have to think more broadly about the types of cyber threats that could exist for their institutional members. University emails with .edu credentials are often stolen because they are highly valuable on the dark web. Purchasing a .edu address offers the user anonymity and points the trail of illegal activity to the university member, and it can also be used to purchase goods and services like Amazon Prime at discounted prices. Further, since people often repeat passwords for multiple accounts, once a hacker also gains a password attached to an email, it can be used to access more than just campus sites that contain sensitive personal and financial information.
To protect students, CIOs can stay ahead of such information and inform their student and faculty members of the potential risks they should be looking out for. Informing students about the importance of developing strong passwords with two-factor authentification and immediately reporting any suspicious activity can help them stay safe online, as well as prevent a trail of illicit activity from coming back to the institution.