‘Please, please, please’ report cyber incidents, says Federal Student Aid office official

Devin Bhatt, acting chief information security office for the U.S. Federal Student Aid office, pleaded with institutions to report cyber incidents.
U.S. Department of Education seal
(Department of Education / Flickr)

Higher education institutions should report cyberattacks and data breaches the moment they’re discovered, Devin Bhatt, acting chief information security officer at the U.S. Department of Education’s Federal Student Aid office, told a conference this week.

While institutions can face fines for not reporting suspected data breaches or cyberattacks to the FSA, some institutions are reluctant to come forward as they fear they will be penalized, Bhatt said during the Educause 2022 conference’s virtual programming on Wednesday.

“Please, please, please notify us as soon as possible,” Bhatt said. “We’re not here to punish anybody, we’re here to help you, we’re here to serve the institutions of higher education and students.”

During fiscal year 2022, the FSA received 409 incident reports, down from 460 reports last year. This doesn’t mean fewer incidents are taking place, however, said Bhatt.


“People may not report sometimes,” he said.

Compared to last year, the number of ransomware incidents increased from 126 to 130, while incidents of data mishandling decreased from 200 to 186. Bhatt encouraged institutions to report all varieties of cyber incidents, including phishing attempts.

“The more people report and share, the more we can share with the community at large,” he said.

An institution can make a report to the FSA either by calling the Education Security Operations Center, emailing the FSA’s IHE cybersecurity division, or reporting a breach online through a simple intake form. Once the FSA receives an incident report, it works with the affected institution to triage and respond to the incident and offer recommendations and best practices to help it recover and improve cybersecurity and data handling practices, said Bhatt.

Bhatt recommended that institutions have incident response plans that are up-to-date and have been tested. He also urged colleges to regularly review their data security practices.


“Compliance doesn’t equal security,” he said.

Latest Podcasts