Moody's: Cyberattacks Could Dent Higher Ed Credit Rating

• By Dian Schaffhauser
• 04/07/21

Cyberattacks could affect the financial standing of higher education as a business segment, according to a recent briefing by Moody's Investors Services. The "sector comment" came out shortly after two big security events, both occurring on March 16, 2021. First, the Federal Bureau of Investigation's Cyber Division issued a "flash" warning about an increase in ransomware targeting education institutions. Then, Maricopa Community Colleges, one of the largest community college systems in the country, discovered it had been hit by "suspicious activity" and, in response, brought its network down, pushing off the start of classes after spring break by a week. The announcement came on March 19, three days after the discovery.

The FBI report specifically alerted readers about PYSA ransomware, also known as "Mespinoza," which is "capable of exfiltrating data and encrypting users' critical files and data stored on their systems." Current targets include colleges and universities, K-12 schools and seminaries.

According to the report, PYSA gains its unauthorized access through compromised Remote Desktop Protocol (RDP) credentials and/or phishing e-mails. Once the data is pulled out, the systems — files, databases, virtual machines, backups and applications — are made inaccessible to users through encryption and the attacker demands ransom. The ransom message contains information on how to contact the criminal via e-mail, displays frequently asked questions and offers to decrypt the affected files. If the ransom isn't paid, the hacker warns that the information will be uploaded and monetized on the darknet. The same FBI report discouraged victims from paying the ransom and urged them to report the incidents to their local FBI field office.

Maricopa Community Colleges, following its incident response protocol, took its systems offline, including its e-mail, user portal, learning management system, student information system, human resources management system and Google tools. The college system also brought in forensic and recovery specialists to help determine what had happened and to resolve the outage.

By March 29, classes had resumed, and by March 30 the operating systems had been restored. However, the forensic review was continuing, and the school couldn't report on whether data had been stolen.

Moody's warned that the rise in cyberattacks had come at an especially vulnerable time for higher ed. Not only have "some university finances ... become more fragile because of revenue declines and expense pressures related to the pandemic," but also "university networks have expanded more than ever as instruction is carried out largely online and most staff and faculty work remotely."

Unexpected school and course closures damage customer relations, the briefing noted. There's also the financial hit, which poses a "growing credit risk for debt issuers": The average data breach cost for an education victim is $3.9 million, according to a 2020 Ponemon Institute study.

The full briefing, "US: FBI warning for universities underscores vulnerability to cyberattacks," is available to Moody's subscribers.