The turn of the century saw the rise of digital technology, with organizations and businesses adopting new cloud and digital platforms that enable them to operate with greater efficiency and store large amounts of data with ease. However, with these advancements come the risk of cyberattacks and new forms of criminal threats, necessitating the need for new measures of cybersecurity to mitigate such risks .
Businesses, especially those in retail and healthcare industries, often fall victim to cyberattacks as they hold with them personal consumer data that can be used with malicious intent when obtained by hackers. It is this same principle that makes educational institutions an easy target. Such institutions hold a treasure trove of valuable information ranging from personal data, payment details, medical records and more which are often stored on campus systems with IT infrastructures that do not have the mechanisms needed to protect data integrity.
To begin addressing measures to ensure protection from various kinds of ransomware and phishing attacks, educational institutions must first understand the potential risks that they may be exposed to.
1. Breaches to Personal Data Protection Act (PDPA) in Singapore
The Personal Data Protection Act (PDPA) of Singapore regulates the processing of personal data in the private sector and is an important area of concern for learning institutions. To understand how they can be held liable under this Act, consider the following cases-
In January 2021, a Singapore-based entrepreneurship education academy, GeniusU, lost 1.26 million personal data records to malicious actors due to a breach on their software development platform called GitHub for which they paid a fine of S$35,000. Cyber security firm, Portswigger, recently reported that GitHub suffered another breach in April 2022 when attackers used stolen authentication tokens to access and clone personal databases. The stolen information was then used to access other critical databases.
The North London Collegiate School (Singapore) also had its students’ personal data set (see table below) exposed by web crawlers due to a lack of proper data storing protocols. In addition, they relied on a related group company to manage their data without clear written agreements. This sensitive information was made available on public search engines from December 2019 to July 2021. Consequently, the school was fined S$10,000 under the PDPA.
North London Collegiate School (Singapore): Data table on the number of affected individuals for each type of document accessible in the directory/folder that was exposed to web crawlers. Source: Personal Data Protection Commission (PDPC).
In 2016, the Singapore Management University (SMU) had its eLearning portal hacked by one of its students who guessed his professor’s password in 8 attempts and managed to change his grades and access materials. In the same year, the National University of Singapore (NUS) lost 143 personal data records during orientation due to a wrong setting on Google Sheets. All it took was one complaint by a disgruntled student, and the university had to launch PDPA retraining sessions for their student leaders.
2. Stealing Sensitive Information
In February 2021, hackers stole 4,625 student data from Champion Tutor and sold it on the dark web. The school had initially learnt of a possible vulnerability to SQL injection attacks during a penetration testing in December 2020 and instructed their developer to fix the issue. However, when the developer failed to respond to the cybersecurity threat in time due to difficulties faced during the covid-19 pandemic, the school chose not to resolve the issue which led to the data breach. It was only after the Personal Data Protection Commission (PDPC) informed them, did the school become aware of the issue. In the end, Champion Tutor was fined with S$10,000 on grounds of negligence and lack of adequate data protection systems.
These cases studies are indicative of how hackers can steal sensitive data from learning institutions of all sizes. The 2020 Global Threat Intelligence Report showed that hackers have increased their attacks on the higher education sector by 29% compared to 2019.
Institutions of learning store sensitive information such as students' grades, tuition fees, and addresses for administration. There is always a demand for such personal data - Advertisers looking to promote alternate tuition centres can use this data to target parents; criminals can also leverage the data to impersonate parents to steal from close contacts and other related third parties; parents from low-income groups can be targeted with high interest loans. These are just some of the ways that personal data can be used for malicious gains.
With increasing efforts made to raise awareness on the importance of data protection within educational institutions, majority of parents are able to steer away from these exploitative attacks. However, there continues to be cases of breach of personal data which can negatively impact such institutions, if the data is found to be leaked from their digital infrastructure.
3. Lost Funds Due to Fraud and Phishing
Stolen data can also be used to carry out Business Email Compromise (BEC) scams. One such example is the case of an email phishing attack on the Manor Independent School District (MISD) in Texas, USA, where cybercriminals made use of BEC techniques to steal $2.3 million through school-vendor transactions.
The cybercriminals pretended to be existing vendors of the schools and emailed invoices asking for payments. School employees failed to recognize discrepancies in the email and bank account details and proceeded to make the payments requested. Without proper cybersecurity protocols in place, institutions of learning are highly susceptible to such scams even today.
Clients of local banking giant OCBC lost S$13.7 million to phishing attacks in January 2022. The phishing messages appeared to come from the official SMS thread used by OCBC banks causing clients to make payments via the links included. Many did not even know they had lost money until the bank contacted them.
Sample of malicious SMS messages used for phishing attacks on OCBC clients. Source: Vulcan Post.
Prevention is better than cure
The reality is that criminals are targeting vulnerable IT systems to make illicit gains at the expense of learning institutions. Traditional methods to safeguard against thieves include installing locks and surveillance cameras to protect against physical threats. Such a lock and surveillance system would be equally important for the cybersecurity of institutions of learning.
It is easy to be buried in daily business activities and get caught off-guard when cyber criminals attack you. Proactively guarding against potential digital security weaknesses can prevent the loss of revenue, cost of ransomware, loss of company data, online data leakage, fines, penalties, hefty legal fees, and settlement issues.
A good cybersecurity plan can help protect the reputation of education institutions and set the foundation for it to grow steadily. Preventing online threats is way cheaper than the cost needed to reverse the damages done, be it for start-ups or established businesses.
Implementing Your Cybersecurity Roadmap
Establishing a cybersecurity road map can provide you with a clear idea of your business’ risk capacity and help you see potential opportunities to take advantage of. One of the ways to do this is to use a risk categorization model with four threat levels. Once this is set, the cybersecurity team can then engage your C-Suite to discuss the most critical data assets that need to be protected. They can also consider respective trade-offs in implementation cost, operational impact, and risk of failure. Small businesses may often have to revisit their plans and implementation measures quarterly to ensure that they are still relevant and feasible after changes to their environment. After all, the service industry hinges on the reliability of its digital infrastructure.
If you need help planning and implementing your cybersecurity roadmap, please feel free to reach out to our specialists:
Lock Chee Wee
Partner and Industry Lead, Professional & Business Services
T: +65 6715 1188
Hoi Wai Khin
Director, Technology Consulting
T: +65 6594 7880