A debilitating malware attack has forced a college known for “powerhouse” cybersecurity programs to shut down all its systems, just as it prepares for the fall semester.
On August 8 the Stevens Institute of Technology noticed “system-access issues” and alerted users to what it later called a “very severe and sophisticated” cyberattack. The college disabled its systems and networks as a precaution, it said, apparently disrupting a swath of tasks needed to run the college: email, payroll, tuition payments, class scheduling, summer course assignments, its virtual private network, and more.
We’re sorry, something went wrong.
We are unable to fully display the content of this page.
This is most likely due to a content blocker on your computer or network.
Please allow access to our site and then refresh this page.
You may then be asked to log in, create an account (if you don't already have one),
or subscribe.
If you continue to experience issues, please contact us at 202-466-1032 or help@chronicle.com.
A debilitating malware attack has forced a college known for “powerhouse” cybersecurity programs to shut down all its systems, just as it prepares for the fall semester.
On August 8 the Stevens Institute of Technology noticed “system-access issues” and alerted users to what it later called a “very severe and sophisticated” cyberattack. The college disabled its systems and networks as a precaution, it said, apparently disrupting a swath of tasks needed to run the college: email, payroll, tuition payments, class scheduling, summer course assignments, its virtual private network, and more.
Stevens pushed back its deadline for tuition payments twice. It told student employees they had another week to clock their hours. It extended the summer term to August 25.
The college, a private research institution of about 7,000 graduate and undergraduate students in Hoboken, N.J., has said in updates on its website this week that it is making “very good progress.” Technicians have recently cleared more than 300 users for “critical” systems, the college said, and it expects to restore email this weekend.
ADVERTISEMENT
A spokeswoman told The Chronicle that the college was still investigating, but it believes that the attack is “now contained” and has found no evidence that personal data have been exploited.
Experts warn that cyberattacks are a mounting threat to colleges, whose defenses lag behind. Last month the Education Department said hackers had reportedly targeted at least 62 colleges to create hundreds of fake accounts and potentially retrieve student records. (The department later said it had “not found any instances” of exploitation.) In March, The Wall Street Journalreported that Chinese hackers had targeted several prominent colleges in the United States to steal research for military use.
Stevens itself noted that it was “not alone in experiencing sophisticated malware attacks, which have been escalating in frequency and intensity worldwide.”
Colleges are racing to train enough experts in the field to stop those and other cyberattacks, which have threatened the country’s biggest companies, banks, and the U.S. government. Stevens, a member of the National Centers of Academic Excellence in Cyber Defense, a program run by the National Security Agency and the Department of Homeland Security, has previously billed itself as a leader in that effort.
Openness as Vulnerability
While it may be tempting to view that status as ironic in light of the hack, a college’s cybersecurity programs usually have “nothing to do with the operational security of the university IT system,” said Jonathan Katz, a professor of computer science at the University of Maryland at College Park and the director of the Maryland Cybersecurity Center.
ADVERTISEMENT
Stevens declined to specify details of the attack, citing “the ongoing forensic as well as law-enforcement investigation into the incident.”
“We look forward to welcoming all students to campus in the coming days,” the college said in an emailed statement. “Activities for new and returning student move-in and new-student orientation are proceeding as planned, and all students will have their schedules before their classes start.”
Since Wednesday the college has offered more details about its next steps and urged community members to reset their passwords and back up data.
The use of file-sharing systems like Google Drive and Dropbox “could be affected,” but the college expects to restore that soon. Data in other cloud-storage systems, such as Workday and Canvas, do not appear to be at risk, the college said.
ADVERTISEMENT
The attack appears to have targeted Windows systems. The college said mobile phones and Apple computers do not seem to have been threatened, though Windows tablets could have been.
Late Thursday night, the college said users could expect to hear by Friday or Saturday about how to get back onto email, Canvas, and Workday.
Colleges and universities have some challenges that maybe don’t exist as much in the corporate world.
“Colleges and universities have some challenges that maybe don’t exist as much in the corporate world,” Katz said. “Generally speaking, they like to be very open.” Nor do they usually have the sheer resources of an Equifax or a Capital One — two American companies that have been hit by major data breaches in recent years.
But they should still follow best practices for cyberdefense, including two-factor authentication and regular updates of software, Katz said. They should also train users to resist “social engineering” attacks, like phishing attempts, that prey on human error.
ADVERTISEMENT
Colleges may not view themselves as money pots for hackers, compared with other organizations, said Carl E. Landwehr, a research scientist at George Washington University’s Cyber Security and Privacy Research Institute. But they’re confronting their own susceptibility as targets rich with sensitive research and personal information.
The motives of Stevens’s hackers remain unclear. But colleges generally can offer “a source of ideas,” Landwehr said, “and I think they have to become more aware of that.”
Steven Johnson is an Indiana-born journalist who’s reported stories about business, culture, and education for The Chronicle of Higher Education, The Washington Post, and The Atlantic.