Data breach… We all know what it is, and we all understand the type of impact a data breach can have on individuals whose data is pilfered, traded, and sold on the dark web like gold bullion. That is what it is, after all, modern-day gold bullion that threat actors trade-in. But have you ever taken the time to consider the non-emotional impact of a data breach on a child?
This article looks at the theft of child data and why it is so attractive to threat actors. A big caveat: the article only touches the surface of this topic, and there is a lot more to it, so I encourage you to do some research if you are the custodian of child data or DM for a chat. You will also note that I avoid using the term cybersecurity in the article. Why? Because when we talk about schools and other educational institutions, they have so much data and it is very rarely retained in just the cyber realm. Instead, schools deal in paper documents, lots and lots of paper documents. There is also the information that teachers hold in their heads, and there are also the sensitive conversations that are had with parents, other teachers and even, at times, medical professionals.
The Growth of PII Theft
Taking a brief look at the history of cybercrime, and I mean very brief, threat actors started out targeting banks and credit cards. Any means to acquire money directly . Over time, the niche market of threat actors expanded, and threat actors now target any institution that holds personal identifying information (PII). PII is cash for threat actors, or as noted above, modern-day gold!
For a long time, educational institutions remained unscathed regarding cybercrime. As a result, they were often overlooked when it came to general awareness campaigns. But then, somewhere along the way, it clicked with threat actors. Where can we get the PII of individuals with no credit history, no criminal records, and a clean slate? Schools!
The Price for PII on the Dark Web
When looking at the price of our data on the dark web, adult data is pretty consistent, with a complete Australian adult profile costing approximately $45. See my article What Happens to Personal Data After a Breach for further information. For children not considered in the teenage range, the price drops down to $10 per record. This seems like excellent news for primary schools and daycare centres, as there is little incentive for threat actors. Unless, that is, threat actors are willing to hold onto the child’s record for a few years until they hit the teenage range. That is where they can make big bucks!
For a complete teenage profile, including tax file number and Medicare details, threat actors in 2018 could earn up to $3,000 per record. You heard me, $3,000! And what better place to start to harvest that information than from schools? Schools maintain comprehensive records on their students, including Medicare and private health care details on students, in case of emergency.
The research into why teenager data is worth so much more is a little sketchy, but if I were to hazard a guess, I would say it is because teenagers generally:
- Have clean credit histories
- No debt
- No police records, and
- There is a good chance that it is the first time the data is being sold.
The fact that Credit Suisse recorded Australia as having the highest medium wealth in the world would have also contributed to the value of Australia’s PII in general, I would imagine. Add to this the size and security budgeting of schools and they become the perfect target of threat actors. Schools (well, at least the schools I know) do not generally have an information security team or the resourcing or money for 24/7 threat response.
Threat Actors Target Schools
When looking at the most likely way a threat actor would compromise a school, the odds suggest a phishing email, with the primary initial access vector of successful attacks in Australia in 2022 being phishing. Threat actors can be compelling, and with schools often overlooked regarding security awareness, education institutions’ teachers and support staff are often left without the right tools to fight against threat actors.
In 2023, we witnessed threat actors swarm through school districts in the USA, like locusts, pilfering schools of their PII data. Since the start of this year, the threat has continued, with data breaches being reported in Butte School District, Edmonds School District, Fullerton Joint High School District and Glendale Unified School District. Now, it is easy to say that this is only affecting people overseas or only affecting Americans. In fact, in October 2023, it was predicted that Australia would follow suit, with schools becoming a more prominent target, according to Australia’s National Cyber Security Coordinator, Air Marshall Darren Goldie.
Security Hygiene
If you do work in a school or education institute, I have created a security hygiene checklist for you to test yourself against. If you answer ‘No’ to any of these questions, it is time to ask yourself who the right people are to help me with my security hygiene. Having a conversation on information security during staff development days, term meetings, and even around the figurative water cooler is a significant first step to getting information security put on the school’s agenda and building a security-aware culture.
- Would I be able to identify a phishing email if I saw one?
- Do I know who to report a security incident to?
- Do I ensure not to send sensitive data via email unless encrypted?
- Do I know what to do if I suspect malware on my device?
- Am I using strong passwords at home and work?
- Are these passwords unique?
- Am I only using applications approved by IT to undertake my work?
- Do I only encourage students to download applications approved by IT and/or are part of a whitelist of preapproved applications?
- Do I only have access to data that I need to undertake my job?
- Am I following the Australian Privacy Principles?
I will close this article the same way I close many of my articles, with a general plea. Please talk to your family and friends about security. Tell them to be wary of social engineering scams, including phishing emails, and to remain sceptical of any phone calls, emails or text messages. The data that is for sale is our children’s future. Do we want our children to enter the workforce only to find out that someone has been using their identity since they were sixteen and destroyed their credit rating by the age of eighteen? Yes, it can be fixed, but at what emotional toll?
Morrisec engages with many schools, from security awareness to risk assessments, to complete managed services. If you need help with your security program, pick up the phone. We can help create a road map to strengthen your security posture and empower your staff and students for the future.
0 Comments