Top Breaches in Higher Education in 2015 -2016

In continuation to our series on data loss in higher education sector, this article identifies the top breaches that have taken place in institutes all around the country. These incidents are noteworthy because they spiked up awareness about higher education being a soft target for data breaches.

April 2015 saw one of the biggest breaches at Auburn University where about 360,000 people had their social security numbers exposed online publicly. These people were not even registered/ enrolled students of the university but were either applicants or prospective students.

In May of 2015, when the breach was discovered at Penn State University, it had already affected 18,000 records. It was found that the unauthorized access had started way back in 2012 at the College of Engineering and had gone unnoticed till 2015. The alarming issue here is that it took 3 years to detect the breach and the network had to be disabled for 3 full days, significantly affecting continuity of work.

June of 2015 saw another breach at Penn State University. This time, the College of Liberal Arts, came under attack for unlawful access.

A similar breach took place at University of Connecticut in July 2015. The servers were hacked by unauthorized users from China beginning 2013. About 1,800 user credentials were exposed though it was never confirmed if any intellectual data was compromised. During the investigation, malicious hardware was found on the servers.

University of Virginia notified in August 2015 that there was a cyber attack originating from China, resulting in the University reinforcing protection of its network against future breaches. Although no PII was stolen, people quickly became aware of the inherent risk that large institutes face because of lack of adequate data loss prevention measures.

In September 2015, at least 80,000 records of students enrolled in an online course at Cal State got hacked. Sensitive information was compromised because of this. The cause was attributed to malware in third party applications offered by a vendor administering the online course. While the PII was not exposed, user IDs and passwords, college emails, gender, and race were made public.

In another incident, California Virtual Academies (CAVA) informed its registered users in December 2015 that their data storage system was exposed as a result of data breach. CAVA, within hours, was able to locate the vulnerability and contain it by securing the system. Users were still urged to check their personal accounts, change security settings online and familiarize themselves with information provided on credit and identity protection.

In January 2016, Southern New Hampshire University (SNHU) confirmed that due to a configuration error on part of a third party vendor, a database containing names, email addresses, IDs, course details, scores etc. had been exposed. About 140,000 students had been affected due to the breach. Since SNHU claimed to have 70,000 enrollments, it was understood that the records either had been duplicated or both former as well as current students had been affected. The investigation is still ongoing.

In February 2016, University of Florida reported that as many as 63,000 records with PII were exposed to hackers. The records belonged to former and current students as well as staff members. The management also notified that credit card information, other financial data and health records were not comprised.


The above-mentioned incidents reinforce the vulnerability of the higher education sector. Tighter regulations and comprehensive data loss prevention solutions are thus deemed as a necessity in this sector.