In August, University of Mumbai’s Institute of Open and Distance Learning had to call off exams after its server was hit by a cyberattack. In June, students of Manipal Academy of Higher Education (MAHE) alleged that the institute’s online exam software was infected with malware and crashed their systems. MAHE had refuted the claims. With thousands of schools and colleges shifting to remote admissions, learning and exams after covid-19, the chinks in cybersecurity are beginning to show.
Cybersecurity firm Barracuda Networks, for instance, found over 1,000 spear-phishing attacks targeting educational institutions in India between July and September. Spear-phishing refers to targeted phishing email attacks.
“Lack of awareness, tight budget and limited resources make schools easy targets for cyberattacks and unfortunately, make attacks more effective,” said Murali Urs, country manager, India, of Barracuda Networks. Educational institutions are prime targets for cyberattacks, given the wealth of data hosted in their servers. Online education is a fairly new concept in India, and cybersecurity is not yet a priority for most educational institutions.
Security researcher Karan Saini said that personal data stolen from schools is frequently sold on the Internet and the dark web. Additionally, compromising a .edu domain, which is what most educational institutes use, allows criminals to make their attacks more potent. In fact, Barracuda Networks’ findings showed that 57% of infectious emails sent to institutions were from internal accounts.
Saini said phishing emails sent from a .edu domain are more likely to clear spam filters on email services. A hacked server could yield thousands of email addresses ending with .edu.
“When it comes to in-campus infrastructure, which includes its educational technology like smart classes, school-level ERP and attendance automation, the security standards aren’t as competent as enterprises,” said Vinayak Godse, vice president, Data Security Council of India, an industry body on data protection set up by Nasscom.
Godse said cybercriminals can steal personal information of staff, students and parents, demand ransom and at times harm the reputation of institutions. Also, premier academic research institutions can potentially be targeted for research intelligence and intellectual property. However, cyber awareness is growing. Siddhartha Gupta, CEO of Mercer Mettl, an e-learning solutions provider, said clients are more cautious about the platforms they use.