Forget the image of school files being simple spreadsheets. A far more sinister reality is unfolding in the digital shadows, where dedicated 'students' of a different kind are meticulously studying and exploiting the vast data troves held by educational institutions. These are hackers, and schools and colleges have become their prime targets.
Education Sector: A Goldmine for Cyber Criminals
Startling revelations emerged at a recent session of Hacked 2.0, an initiative by The Times of India and the National Forensic Sciences University (NFSU), hosted by the Gujarat Chamber of Commerce and Industry (GCCI). The gathering of educators, principals, and administrators was presented with a grim picture: the education sector is as vulnerable to cyberattacks as any critical infrastructure, thanks to the massive volumes of sensitive personal data it handles.
Prof Parag Rughani, Dean of the School of Cyber Security and Digital Forensics at NFSU, issued a stark warning. He stated that valuable research and student records can "change hands at just a click of a button." Highlighting the scale of the problem, he revealed that between 2003 and 2023, educational institutions consistently ranked high on vulnerability charts.
He cited a chilling case where a private university professor from Pune was duped of Rs 2.5 crore by a hacker posing as an IIT expert involved with DRDO projects. "If prominent US universities can get hit, so can we," Rughani emphasized, pointing to one incident where a single breach exposed 2.30 lakh student records.
The Evolving Threat: Metamorphic Malware and Outdated Systems
Experts highlighted specific, sophisticated threats plaguing the sector. Prof Rughani warned schools about a new type of virus called 'metamorphic' malware. This dangerous software alters its own code with each new infection, evading detection by basic antivirus programs. "It mutates and comes with a new form, much like the Covid-19 virus," he explained.
This threat is compounded by the widespread use of obsolete technology. Rughani pointed out that many institutions still operate on ancient systems like Windows XP, an operating system for which Microsoft ended mainstream support back in 2014. He described such software as an "open door for hackers."
To combat this, Rughani stressed the urgent need for a clear legal agreement between IT service providers and educational stakeholders. He insisted that providers must be held "legally responsible" for data security under the new Digital Personal Data Protection (DPDP) Act.
Personal Data for Sale and the Insider Danger
Kritarth Jhala, a Senior Scientific Officer at NFSU, laid bare the economics of stolen data. He stated that a person's name, mobile number, and email can fetch nearly a dollar in the digital black market. A single click on a malicious link can compromise a user's location and device details, leading to severe breaches.
He shared a harrowing incident from the pandemic era, where hackers stole photos of schoolgirls to create deepfake videos and then blackmailed the institution. "Once the data is out, it creates a permanent footprint; it cannot be erased," Jhala warned.
Perhaps most alarmingly, he noted that 60-70% of cyberattacks are insider threats, originating from individuals familiar with the network, such as disgruntled former employees. Jhala also addressed the recent spate of bomb threats to schools, explaining that hackers use temporary email IDs to hide their identity and sow panic.
In a final, disturbing revelation, he cautioned that cheap CCTV surveillance setups in many schools are inadvertently allowing hackers to spy into classrooms remotely, turning tools for safety into gateways for intrusion.
The message from cybersecurity experts is clear: Indian educational institutions must move from complacency to urgent action. Protecting the data of students, parents, and faculty is no longer an IT afterthought but a fundamental responsibility.
