Data and privacy

How one university’s stolen student IDs caused a crime wave

When identity theft dragged one UK university into a money-laundering scam, they realized they were perfectly placed to stop it happening again.

Share article

Cybercriminals see education as an amazing opportunity. But they’re not taking classes or gaining qualifications – they target universities and other educational institutions for the wealth of personal information they hold.

In Tomorrow Unlocked’s video The Backdoor into Campus, Royal Holloway, University of London cybersecurity experts talk about how a major identity theft incident on campus happened and how they’re working to keep students and staff safe in future.

How educational institutions are attacked

Universities and colleges often have many people using their systems, like staff, students and visitors. They also offer many kinds of services online.

Mike Johnson, Chief Information Officer at Royal Holloway, University of London, describes a recent security incident. “A staff member’s credentials were stolen and used to send convincing offers of part-time work to students. Some students undertook the work and were paid. But they were overpaid, then asked to return some of the money. It was money laundering on a significant scale.”

Why cybercriminals love stealing identities

With just one stolen identity, a criminal can do a lot of damage. If you know enough about someone in the digital age, you can access money or commit other crimes, all while leading law enforcement back to the wrong person.

“Commonly, we find those who try to attack us are looking to harvest identities,” says Johnson. “When they’ve got them, they’ll try to harvest more until they’re sure they can attack us in the way they want to.”

Education can stop attacks on education

It’s all about authentication, says Keith Martin, Professor of Information Security at Royal Holloway, University of London: Knowing the person trying to access something online is the person they say they are. “Imagine a front door. Whoever has the key can open it. To breach that, you need to get hold of the key. Entering a country is more high security: Border control looks at credentials like a passport and the person submitting it.”

Professor Martin continues, “In cyberspace, it’s a bigger problem because we can’t see who’s asking for access. The most popular authentication is a password, but passwords are like keys – easily copied or stolen. So we need to use the passport model – asking for multiple things to gain access.”

That’s called multi-factor authentication. You’d need more than a password to gain access, such as a code sent by SMS or biometrics, like a fingerprint.

Senior security researcher at Kaspersky, Noushin Shabab, says for the best security, multi-factor authentication should combine biometrics like facial recognition with another credential.

Developing ‘cyber common sense’ in education

Professor Martin says the most important thing anyone can do to keep their identity safe is to develop ‘cyber common sense.’ “Hesitate before doing anything in cyberspace – if you’re sent a link or a message asking for information, ask, why do they want this?”

Johnson feels education institutes are perfect places to learn cybersecurity awareness. “We’ve got to be willing to have a conversation with students about digital security and what protecting their identities means. We’re educators – we’re well placed to help people operate in an environment they’ll operate in for a long time.”

Kaspersky Security Foundations

Cloud-managed security that automatically prevents cyber threats on any device without hogging resources.

About authors

Suraya Casey is a freelance writer, editor and content strategist based in New Zealand. Her interests include cybersecurity, technology, climate, transport, healthcare and accessibility.