What College Students Should Know if Their School Is Hacked

College students should take immediate action if they learn that their institution was the subject of a ransomware attack.
portrait of Matthew Arrojas
Matthew Arrojas
Read Full Bio


Matthew Arrojas is a news reporter at BestColleges covering higher education issues and policy. He previously worked as the hospitality and tourism news reporter at the South Florida Business Journal. He also covered higher education policy issues as...
Updated on October 18, 2023
Edited by
portrait of Alex Pasquariello
Alex Pasquariello
Read Full Bio

Editor & Writer

Alex Pasquariello is a senior news editor for BestColleges. Prior to joining BestColleges he led Metropolitan State University of Denver's digital journalism initiative. He holds a BS in journalism from Northwestern University....
Learn more about our editorial process
Image Credit: eclipse_images / E+ / Getty Images
  • In 2022, 44 known ransomware attacks impacted colleges and universities.
  • Institutions hold valuable student data that hackers covet.
  • If released on the dark web, this data can have horrific effects on a student’s financial and emotional well-being.
  • There are, however, steps students can take in the aftermath of an attack to protect themselves.

Names, addresses, social security numbers, and medical records.

It’s common for colleges and universities across the U.S. to ask for this personal information of students. This information may be helpful for administrators within a school, but stockpiling valuable data makes institutions a juicy target for hackers looking to swipe these assets and hold them for ransom.

These ransomware attacks, unfortunately, have become all too common in recent years.

A January report from Emsisoft found 44 instances of ransomware attacks at colleges and universities in 2022. Brett Callow, threat analyst at Emsisoft, told BestColleges the actual number of attacks is likely higher because news of a successful attack doesn’t always become public knowledge, especially when an institution decides to pay the ransom.

He added that attacks targeting universities spiked in 2019 and have remained consistent since.

"We're really not getting to grips with this problem,” Callow said. “And the numbers aren't going down."

Explaining Ransomware Attacks on Universities

Most colleges and universities harvest a treasure trove of student data that hackers covet.

Hackers target institutions repeatedly in hopes of gaining access to a school’s network, Callow explained. They will often then lock an institution's computers from which the data was stolen, essentially holding the university hostage.

Attackers demand high ransoms to return stolen data and unlock servers, he said.

Joseph Potchanant, director of the cybersecurity and privacy program at EDUCAUSE, told BestColleges that the data falls into three main buckets: demographic information like names and social security numbers, academic data like a student’s major and grades, and financial data like banking information.

However, other data is at risk that students may not think of.

A university breach may impact a school’s Title IX office, Callow said. That means rape and sexual assault allegations, for example, could be made public.

Psychological evaluations could also leak, he added.

"It can be extremely sensitive stuff,” Callow said.

How Should Students Respond to an Attack on Their School?

Unfortunately, a student’s options are limited in the aftermath of a ransomware attack.

Any response largely depends on whether their institution complies with the ransom demands, Potchanant said. In some states — including Florida and North Carolina — it is against state law for a public college or university to give in to demands.

In most states, the school can make its own decision.

"It's really up to the institution,” he said. “But the recommendation from law enforcement is that ransoms not be paid."

If a school does pay the ransom, there is a chance that the problem goes away completely. Paying the ransom places trust in the hackers to hold up their end of the bargain.

If the school does not pay the ransom, Callow said hackers almost always release student data into the dark web.

There isn’t much students can do beyond this point.

Potchanant recommends that upon hearing of a breach, students should immediately look into freezing or temporarily locking their credit. That’s because personal data floating through the dark web could lead to attempts at identity fraud, and people may try to use personal information to establish credit in a student’s name.

Students should also let immediate family members know about the breach.

Colleges and universities don’t just store student data but also often data about their parents, guardians, or other family members. A security question may ask for a student’s mother’s maiden name, for example, and the school may also have a guardian's address from the application process.

This guardian or parent would now be vulnerable to identity theft, too.

"It affects everyone in your orbit,” Potchanant said.

Students should continue to monitor their bank accounts in the immediate aftermath of a breach, he added. Look out for suspicious activity or changes in direct deposits.

Callow agreed that a personal freeze on a student’s credit should be their first step.

"Beyond that, it's simply a matter of being super vigilant,” he said.

When it comes to medical and other personal information, however, Callow said there is nothing students can do if that data leaks.

What Can Students Do Before a Potential Attack?

The best way to minimize the impact of a cyber attack on a university is to limit what data a school has to begin with.

Unfortunately, Potchanant said students often have little choice in what they must submit. They’ll inevitably have to submit personally identifying information, as much of it is vital for the university to function properly.

That doesn’t mean all the data a university collects is necessary, he stressed.

For example, does a college really need a student's full social security number, or would just the last four digits suffice?

Potchanant recommends that students raise concerns with their institution whenever they come across a form asking for unnecessary information. It’s ultimately up to the university to engage in “data minimization,” he said, but students should use their voice to point out potential oversights.

"Being your own advocate would be a great way to minimize the impact,” Potchanant said.

Should Former Students Be Worried About a Potential Attack?

Current students aren’t the only ones to suffer in the wake of a ransomware attack.

Potchanant said a data breach at a college or university puts former students at risk, too. While schools may delete most personal, financial, and medical information once a student graduates, they tend to hold onto some data in case that student re-enrolls or wants to stay involved as part of an alumni group.

Graduates should reach out to their former university to ask what information it stores post-graduation.

It’s an important step because states have various disclosure laws for when a data breach compromises financial information, but that may not extend to personal information. Therefore, a university may not alert graduates that their data is at risk if it doesn’t include financial data, Potchanant said.

"Personal information is usually the biggest problem,” Callow said. “Just knowing that type of information is floating around… it can be psychologically distressing."