With their vast stores of personal data and expensive research, universities are prime targets for hackers looking to graduate from swiping credit card numbers.
These aren't college kids trying to change their grades. They're potentially "nation-state actors" much like the hackers who have targeted large corporations in the past, said Michael Oppenheim, intelligence operations manager at Internet security firm FireEye.
This year, breaches of Pennsylvania State University and the University of Virginia were blamed on Chinese hackers.
At the University of Connecticut, student Social Security numbers and credit card data were taken. Washington State University and Johns Hopkins University were also the target of attacks.
It's a trend that is forcing schools to think harder about how they protect students and researchers from a threat that never shows its face on campus.
"As administrators in education, we know that we're responsible for security writ large," Nicholas Jones, provost of Pennsylvania State University, told NBC News. "And that includes information security. I don't think I thought a year ago that I would know as much about information security as I do now."
In 2014, 10 percent of reported security breaches involved the education sector, according to Symantec's Internet Security Threat Report. That trails only health care (37 percent) and retail (11 percent).
Byers Market Newsletter
Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox.
Despite the frequency of attacks, many schools aren't prepared to defend themselves. In a recent study, Tinfoil Security tested the networks of 557 state universities with a cross-site scripting (XSS) attack. Twenty-five percent of them were vulnerable.
"A quarter of state universities ... that's insane," said Michael Borohovski, founder and CTO of Tinfoil Security. "It's not because they don't care. It's probably because they don't know it's a problem or they're simply not catching it in time."
Finding the culprit behind the keyboard in cyberattacks can be incredibly difficult. So far, Jones said, consultants hired by the university have traced the origin of the attacks to China. It's unknown whether the hackers were independent actors or sponsored by the government.
When Chinese President Xi Jinping arrives in the United States this week, President Barack Obama is expected to bring up the issue of cyberespionage, a tense topic that some have speculated could lead to economic sanctions against Chinese firms.
Hackers gain access to school networks the same way they gain access to a lot of other networks.
Sometimes they use "spear phishing" emails with malicious links or attachments that can be used to establish a "beachhead inside the network" and try to gain more access, Oppenheim said. Other times they enter malicious code into websites that students and faculty regularly log into.
While the attacks aren't novel, universities don't have strict control over the hardware and software that students and faculty use.
"Protecting schools is a lot harder than protecting corporations, mainly because you have to allow people to bring their own devices," Borohovski said.
The transient nature of university populations — students on erratic schedules entering and leaving campus, as well as graduating — can make tracking down the source of malicious software difficult, according to Borohovski. Another problem is that universities have limited options when it comes to software for services like student registration.
"Most of the third-party companies that provide software to education institutions, frankly, don't focus on security," he said. He noted that education tech isn't a very lucrative field, which means companies don't face much competition.
"If they don't have to spend money on security and can still win a contract, that is what they're going to do," he said.
So what is the solution? Universities should be looking to outside help to shore up and strengthen their computer networks, Oppenheim said. They can also prioritize the most sensitive information and spend their limited resources protecting it.
A good first step is getting universities to acknowledge the threat of cyberattacks in the first place, something that might be helped by the recent spate high-profile breaches.
"I think schools are waking up to it," Borohovski said. "I just think they're going to need a lot of help."
Keith Wagstaff is a contributing writer at NBC News. He covers technology, reporting on Internet security, mobile technology and more. He joined NBC News from The Week, where he was a staff writer covering politics. Prior to his work at The Week, he was a technology writer at TIME.