An Education on University Data Breaches
Students, faculty and others at risk of having their information compromised within university/college networks.
By Wendy Bowman-Littler
(Laguna Beach, CA) - West Coast author Kim Greenblatt remembers his brush with a security breach at a major university well. After requesting a copy of his college transcripts through the website of a Midwestern university, he was surprised to find the transcripts that arrived at his home were someone else’s. He notified the registrar at the California campus and had his correct records delivered directly to him, but he never received an answer about where—if anywhere—his first set of transcripts might have been sent.
“I felt surprised, scared and angry,” says Greenblatt, who was worried that his name, address and social security number might have ended up in the wrong hands. “The process was done somewhat automatically and incorrectly. The fact that the person from the university couldn’t confirm if anything else was wrong was just wrong. I drove my wife nuts for a while worrying about it, and perhaps I overreacted, but it just freaked me out.”
The unintended disclosure of sensitive information—whether posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail—is just one type of education-related data breach prevalent within university networks today.
Because university networks offer a plethora of data, they make a great intentional target for thieves, says Will Marling, executive director of the Virginia-based National Organization for Victims Assistance (NOVA), which provides victim and witness assistance programs for practitioners, criminal justice agencies, professionals, former victims and survivors.
“Students, faculty, staff, alumni, vendors and government agencies all are at risk of having their information compromised,” Marling says. “This provides an opportunity for commission of crimes like theft of finances and medical care, fraudulent loans and a host of other violations.”
A 2011 report conducted by Pleasonton, Calif.-based Javelin Strategy & Research shows that of the 250,000-plus individuals who were victims of identity theft in 2010, 24 percent of those were between the ages of 20 to 29. Another 8 percent were 19 years old or younger, meaning college-aged students account for as much as one-quarter of all identity theft victims.
This could be due to their high profiles online, but also because universities are notorious for data breaches, Marling says. “I would suggest that part of the issue is that academic institutions are aggregates for a lot of personal data—not only of the current faculty, staff and student body, but also alumni—all of which is maintained and valuable.
“Hence, hackers like the potential rewards from a data breach, and because of so many who have legitimate access to such networks, that expands the potential points of compromise,” he adds.
According to the San Diego-based consumer information and consumer advocacy nonprofit Privacy Rights Clearinghouse, 66 data breaches for educational institutions in the U.S. were publicly reported through the end of August 2012, compared with 63 for all of 2011. Among the most prevalent listed on the organization’s 2012 “Chronology of Data Breaches” report include hacking or malware; skimming devices; intentional breaches by employees or contractors; and lost portable devices.
Many high-profile cases of educational data breaches have been reported in the news recently, including an incident at the University of South Carolina, which notified 34,000 people in August that their personal information might have been accessed from a compromised web server that exposed the names, addresses and social security numbers of students, staff and researchers at the College of Education dating back to 2005. In March, the University of Tampa found out that a temporary text file containing the identification and social security numbers, names and birth dates of more than 6,000 students enrolled for the fall 2011 semester was publicly exposed likely for more than six months. Meanwhile, the University of Rhode Island’s College of Business Administration revealed in August that the personal information of more than 1,000 faculty and students, as well as students from another school, was made publicly available on a computer server.
One of the most recent cases announced involved a major breach of confidential records at Northwest Florida State College in Niceville, Fla., that occurred from late May through late September of this year. According to a statement released by the university, hackers broke into its computer systems and stole 200,000 records—including names, social security numbers, birthdates, ethnicity and gender—for more than 3,000 employees and almost 300,000 students, including 200,000 students statewide who were eligible for Florida’s Bright Futures scholarships for the 2005-06 and 2006-07 school years.
The university has since collaborated with the Division of Florida Colleges in the Department of Education to formally notify everyone who was impacted by the data breach and to suggest that they place a free fraud alert on their credit files. The university also contracted with an external consultant to ensure that its information would be safe and secure going forward.
Although there is a social expectation of disclosing a breach, reporting requirements vary from state to state and data breaches at universities can often go unreported. Adds Marling, “Regarding crime, universities are fairly tight-lipped about the issue, reporting statistically what is mandated by the Clery Act (which requires all colleges and universities that participate in federal financial aid programs to keep and disclose information about crime on and near their respective campuses).”
In fact, one of the most significant threats—and something schools find nearly impossible to control, track or report—is the breach of sensitive data stored in folders accessible through peer-to-peer (P2P) file-sharing software and networks.
“My children’s public school network allows for P2P, though they throttle the bandwidth thinking they are keeping the kids from downloading movies and music (such as large files),” Marling says. “But just the access means that small files (such as data files, PDFs) are accessible to perpetrators. That policy is school system wide, so the vulnerability is multiplied by thousands,” he says. “Imagine, though, a university where the same policy applies. I doubt many schools have a policy against the students, especially on their personal PCs, being able to install P2P software.”
Research conducted by Pennsylvania-based Tiversa, the global leader in cyberintelligence, shows the P2P problem is far more prevalent than often is reported, with a variety of university-related sources showing that 1,371 universities have disclosed data on P2P and 22,458 IPs have been traced back to universities. Just some of the sensitive information likely leaked as a result include the names, social security numbers, email address and birth dates of nearly 600 students; confidential clinical study information; university IT audits; and university statements containing employee earnings, ID numbers and partial social security numbers.
“While colleges and universities generally take a variety of measures to safeguard their networks and protect the personal information of its students and faculty, what we found is that traditional measures are ineffective in mitigating P2P risk,” says Tiversa CEO Robert Boback. “P2P programs work differently than the viruses and malware that these institutions are trying to guard against. While all organizations should have a policy in place that addresses P2P risk, very few do. There are many cases where policy just doesn’t work. Tiversa has been involved in a number of investigations where this is true. The company prides itself on providing its customers visibility into these risks by locating exposed data and driving remediation and risk mitigation efforts.”
Individuals, if not notified by the institution, might find out about a breach weeks, months or even years later from authorities conducting an investigation, or when they receive a call from a creditor who is seeking to collect on a fraudulent loan. Even if an institution offers services such as LifeLock to those affected after a breach, it doesn’t mean that the problem has been resolved because breaches on the college and university level can, and do, occur multiple times to the same institution.
Numerous identity theft services do not provide comprehensive P2P protection, Boback says. “This is crucial, because Tiversa often sees cyber criminals actively targeting this type of data through P2P exposure.
Students who are beginning another semester or recently finished their college career and employees who have worked for an institution of higher learning can take several steps to help protect their information. Before handing over any information to the school, they should ask about the data security policies, including P2P.
Having some type of measure in place to make information more difficult to use always is a good idea. Whether it’s initiating a credit freeze, monitoring credit reports or obtaining an identity theft company with P2P monitoring, protection is just as important as being diligent with passing along personal information to third parties.
For Kim Greenblatt, other than getting a refund and finally receiving his correct transcripts, there was no other follow up from the university. “I subsequently notified the credit bureaus and asked for a 90-day fraud alert or active duty alert to be placed on my credit file, just in case my personal data was sent to the wrong person as well,” he says. “I also am debating if I need to mail in the documentation to try and get identity-theft protection put on permanently—or for a few years at any rate.
“One thing’s for sure,” Greenblatt adds. “Now I’m much more cautious of requests for personal information and aware of potential exposure through trusted organizations.”
Wendy Bowman-Littler is a Laguna Beach, Calif.-based freelance journalist with 25-plus years experience in writing and editing. She can be contacted at wbowmanlittler@gmail.com.
Tags: