Hacktivist Student Protests High Tuition; Targets Cornell & University of Hawaii
Another update, 1/12: A statement from the hacker:
I am not a lone hacktivist, I am a part of a group. We call ourselves "Team Carbonic", our twitter is @TeamCarbonic. I released both statements yes, but they were both reasons that prompted me to do this.
Update 1/12: Fordham University tweeted at me 1/10: Fordham info not compromised. Claim recycled from 2010; data stolen from http://www.kaplanfinancial.com , not Fordham
Defined by Dictionary.com, hacktivism is the practice of gaining unauthorized access to a computer system and carrying out various disruptive actions as a means of achieving political or social goals: “In this form of hacktivism, the hacker tries to alter or deface a government website.”
They plague nearly every type of organization, but you don’t typically hear universities on that list. Until now. DataBreaches.net reports on a university student hacker that hit the University of Hawaii and Cornell University, while Softpedia reports on a hacker group that posted data on Pastebin from a much longer list of educational institutions, including:
- California State
- Fordham University
- University of Kentucky
- University of Connecticut
- University of Maryland
- Coastal Carolina University
- Abertay University
Although not yet confirmed, the University of Hawaii data dump contains root usernames/passwords, mac addresses, service tags, usernames and more of each computer at their university. The Cornell University data stolen includes employee names, work emails and phone numbers, as well as some information about the university’s utilities.
DataBreaches.net reported that in an interview with the hacker (referred to with the gender pronoun of ‘he’), he mentioned his motivation for the attack:
I am a University student myself, and I am already knee-high in debt. You shouldn’t be forced to pay crazy high tuition fees just because you want to pursue an education and not work at some sh** shack like McDonald’s. I can see myself spending half my life after graduating just paying off loans and I don’t want that for myself or anyone else. This is my way of protesting.
Attempting to lower tuition costs by hacking a university might backfire, unsurprisingly, as seen in the 2013 breach of Maricopa County Community College (MCCCD) affecting 2.5 million records, resulting in remediation costs of nearly $20 million. After, a proposal to increase tuition by $5 per credit to pay for ‘fraud prevention and mitigation’ was brought to the college district governing board. However, in this particular case affecting the University of Hawaii and Cornell, the hacker hasn’t yet released all student and/or employee records, but is threatening to do so.
The hacktivist released another statement on Pastebin stating he was just working for the ‘lulz’, but also to reveal alleged incompetence of university IT staff:
I targeted universities for the sole pleasure of the "lulz" that came out of this. It is true, I have thousands upon thousands of logins, employee ids, and various other sensitive information regarding the universities. What I intend to do with this data is publicize it to undermine the idiots at the IT Team.
Other universities hit by hackers last year include the University of Maryland, affecting 300,000 students and employees. Attackers uploaded a Trojan to a photo-sharing site of the university, then managed to access the UMD’s IT management directory. After stealing and changing IT administrator passwords, they were able to access a database housing names, SSNs and university IDs of students and staff.
This attack prompted UMD’s president to testify in front of Congress about their incident, citing the high costs attributed to the breach to include $6.2 million for credit monitoring, $20-30 million to add encryption, and even more to hire consultants in order to prevent future attacks, as CNSMaryland.org reported.
So, whether or not this hacktivist gets his concerns heard, or universities just end up having to hike tuition to cover the fallout, it’s a good lesson in security awareness among educational institutions all the same. Another important fact brought up by a tweet:
Covering the security basics required of any other industry in order to protect sensitive data could be a good start for universities that don't have a set of compliance standards to guide them - the SANS Institute’s Critical Security Controls, developed by a consortium of U.S. and international agencies and private industry experts detail 20 key areas of information security any organization should address.
One of those security basics and best practices in the industry include the implementation of authentication security, such as two-factor authentication to protect user and administrative accounts. Learn more in our Two-Factor Authentication Evaluation Guide.