Web Application Vulnerability Leads to Compromised Data

by Sarah Harvey / April 8th, 2019

Georgia Tech Data Breach

Last week, Georgia Tech announced a vulnerability in a web application that compromised 1.3 million individuals’ information, spanning from current students to alumni to employees. The vulnerability allowed unauthorized, third party access to a central Georgia Tech database. The university hasn’t released many details yet, but we do know the basics of the incident.

The Georgia Tech data breach was found in late March but the impact has been traced back to December. The vulnerability in the web application has been patched, and they are looking for any additional, unknown vulnerabilities. The university’s cybersecurity team is now conducting a forensic investigation to find out how this breach happened, especially since it’s the second breach within a year. In 2018, 8,000 Georgia Tech College of Computing students’ information was emailed to the wrong recipients because of human error.

Many Georgia Tech students are furious after the university mistakenly emailed personal information of nearly 8,000 College of Computing students to fellow students.https://t.co/MJ3HwpoVgc

— Ken Sugiura (@ksugiuraajc) July 28, 2018

Cybersecurity Risks in Higher Education

The Georgia Tech data breach proves, once again, that any organization can be compromised. Even a university with a leading computing program and the top cybersecurity talent can be impacted by a data breach. Georgia Tech’s relationship with technology companies and the government probably made the university an even more attractive to a target.

A data breach in the education industry costs $166 per capita, according to the Ponemon Institute. Institutions of higher education can be targeted for personally identifiable information, research, payroll information, Social Security Numbers, or for other critical assets. Most cybersecurity attacks are a matter of when it will happen to you, not if it will happen to you. The Georgia Tech data breach isn’t the first time a university has been targeted, and it won’t be the last. Is your institution doing everything it can to protect itself from attacks?

Security of Web Applications

Web applications are unique constructs, mixing various forms of technology and providing an interactive front for others to use. Some web applications are made public, while others might be internal applications existing on an intranet. No matter the location, web applications play critical functions and are susceptible to many cyber threats, as we see with the Georgia Tech data breach. To mitigate risk, web applications need to be thoroughly tested for application logic flaws, forced browsing, access controls, cookie manipulation, horizontal escalation and vertical escalation, insecure server configuration, source code disclosure, and URL manipulation, among other tests.

At KirkpatrickPrice, we want to find the gaps in your web applications’ security before an attacker does. For this reason, we offer advanced, web application penetration testing. Contact us today to learn more about how our services can help secure your web applications.