Moody's: Cyberattacks Could Dent Higher Ed Credit Rating

  • By Dian Schaffhauser
  • 04/07/21

Cyberattacks could affect the financial standing of higher education as a business segment, according to a recent briefing by Moody's Investors Services. The "sector comment" came out shortly after two big security events, both occurring on March 16, 2021. First, the Federal Bureau of Investigation's Cyber Division issued a "flash" warning about an increase in ransomware targeting education institutions. Then, Maricopa Community Colleges, one of the largest community college systems in the country, discovered it had been hit by "suspicious activity" and, in response, brought its network down, pushing off the start of classes after spring break by a week. The announcement came on March 19, three days after the discovery.

The FBI report specifically alerted readers about PYSA ransomware, also known as "Mespinoza," which is "capable of exfiltrating data and encrypting users' critical files and data stored on their systems." Current targets include colleges and universities, K-12 schools and seminaries.

According to the report, PYSA gains its unauthorized access through compromised Remote Desktop Protocol (RDP) credentials and/or phishing e-mails. Once the data is pulled out, the systems — files, databases, virtual machines, backups and applications — are made inaccessible to users through encryption and the attacker demands ransom. The ransom message contains information on how to contact the criminal via e-mail, displays frequently asked questions and offers to decrypt the affected files. If the ransom isn't paid, the hacker warns that the information will be uploaded and monetized on the darknet. The same FBI report discouraged victims from paying the ransom and urged them to report the incidents to their local FBI field office.

Maricopa Community Colleges, following its incident response protocol, took its systems offline, including its e-mail, user portal, learning management system, student information system, human resources management system and Google tools. The college system also brought in forensic and recovery specialists to help determine what had happened and to resolve the outage.

By March 29, classes had resumed, and by March 30 the operating systems had been restored. However, the forensic review was continuing, and the school couldn't report on whether data had been stolen.

Moody's warned that the rise in cyberattacks had come at an especially vulnerable time for higher ed. Not only have "some university finances ... become more fragile because of revenue declines and expense pressures related to the pandemic," but also "university networks have expanded more than ever as instruction is carried out largely online and most staff and faculty work remotely."

Unexpected school and course closures damage customer relations, the briefing noted. There's also the financial hit, which poses a "growing credit risk for debt issuers": The average data breach cost for an education victim is $3.9 million, according to a 2020 Ponemon Institute study.

The full briefing, "US: FBI warning for universities underscores vulnerability to cyberattacks," is available to Moody's subscribers.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • college students in a classroom focus on a silver laptop, with a neural network diagram on the monitor in the background

    Report: 93% of Students Believe Gen AI Training Belongs in Degree Programs

    The vast majority of today's college students — 93% — believe generative AI training should be included in degree programs, according to a recent Coursera report. What's more, 86% of students consider gen AI the most crucial technical skill for career preparation, prioritizing it above in-demand skills such as data strategy and software development.

  • repeating abstract pattern featuring cloud icons, neural network shapes, data streams, and circuit-like elements in muted tones

    Google Report: Infrastructure Is the Missing Piece in Gen AI Strategy

    While Gen AI has become central to digital transformation strategies, a new Google Cloud report reveals most organizations aren't yet equipped to support it at scale.

  • illustration of a football stadium with helmet on the left and laptop with ed tech icons on the right

    The 2025 NFL Draft and Ed Tech Selection: A Strategic Parallel

    In the fast-evolving landscape of collegiate football, the NFL, and higher education, one might not immediately draw connections between the 2025 NFL Draft and the selection of proper educational technology for a college campus. However, upon closer examination, both processes share striking similarities: a rigorous assessment of needs, long-term strategic impact, talent or tool evaluation, financial considerations, and adaptability to a dynamic future.

  • semi-transparent AI brain with circuit elements under a microscope

    Anthropic Develops AI 'Microscope' to Reveal the Hidden Mechanics of LLM Thought

    Anthropic has unveiled new research tools designed to provide a rare glimpse into the hidden reasoning processes of advanced language models — like a "microscope" for AI.