Impact Of University Data Breach Unclear In Arizona
So far, no universities in Arizona have found connection to an international cyber-attack, but investigations are ongoing.
On Friday, the Department of Justice un-sealed the indictment of nine Iranian men charged with coordinating an attack on the computer systems of American and International institutions, including 144 universities.
The hackers stole more than 31 terabytes of academic data and intellectual property from universities, according to DOJ, and compromised the email accounts of about 8,000 professors.
“I am not certain that none of the Arizona universities were impacted,” said Lanita Collette, chief university security officer at the University of Arizona.
“In the research I’ve done so far it does not indicate that the University of Arizona was involved,” she said. “I have reached out to our partners with the FBI to see if they can get more information to us, and so it may turn out that one of the Universities were impacted.”
In Tempe, Arizona State University is conducting its own investigation.
“Prompted by a media inquiry, Arizona State University’s University Technology Office and the Office of the Chief Information Officer began conducting a review to determine the existence of any connection between ASU and the criminal action detailed Friday by the Department of Justice,” an Arizona State University spokesman said in a statement. “As yet no such connection has been found.”
Northern Arizona University spokeswoman said the university, “was not affected by this cyberattack,” and declined to further discuss the university’s cybersecurity efforts.
Universities in Arizona have been very pro-active in their cybersecurity efforts, said Collette.
“To strengthen their security programs, to better train users, to beef up our technical controls — it’s been an item of very high interest and support among campus leadership for all three universities and we take it very seriously,” she said.
The Iranian hackers didn’t have to use sophisticated techniques, according to Collette. She said they simply sent out phishing emails. In phishing attacks, hackers craft emails that appear to be from reputable organizations asking to confirm the user’s log in or payment information. If the user falls for the ruse, a bad actors can use their information to access accounts and data.
“We are frequently the target of phishing attacks from a variety of different bad actors out there,” Collette said. “We see them come through out email pretty much on a daily basis.”
The University of Arizona uses two-factor authentication and trains its employees to report any emails that ask users to enter both their username and password.
DOJ said this is one of the largest state-sponsored hacking organizations they’ve ever uncovered.
“We have unmasked criminals who normally hide behind the ones and zeros of computer code,” U.S. Attorney Geoffrey Berman said in a statement.
In addition to 144 American Universities, DOJ said the hackers also targeted 176 foreign universities across 21 countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund.