Category Archives: Education

Top Breaches in Higher Education in 2015 -2016

In continuation to our series on data loss in higher education sector, this article identifies the top breaches that have taken place in institutes all around the country. These incidents are noteworthy because they spiked up awareness about higher education being a soft target for data breaches.

April 2015 saw one of the biggest breaches at Auburn University where about 360,000 people had their social security numbers exposed online publicly. These people were not even registered/ enrolled students of the university but were either applicants or prospective students.

In May of 2015, when the breach was discovered at Penn State University, it had already affected 18,000 records. It was found that the unauthorized access had started way back in 2012 at the College of Engineering and had gone unnoticed till 2015. The alarming issue here is that it took 3 years to detect the breach and the network had to be disabled for 3 full days, significantly affecting continuity of work.

June of 2015 saw another breach at Penn State University. This time, the College of Liberal Arts, came under attack for unlawful access.

A similar breach took place at University of Connecticut in July 2015. The servers were hacked by unauthorized users from China beginning 2013. About 1,800 user credentials were exposed though it was never confirmed if any intellectual data was compromised. During the investigation, malicious hardware was found on the servers.

University of Virginia notified in August 2015 that there was a cyber attack originating from China, resulting in the University reinforcing protection of its network against future breaches. Although no PII was stolen, people quickly became aware of the inherent risk that large institutes face because of lack of adequate data loss prevention measures.

In September 2015, at least 80,000 records of students enrolled in an online course at Cal State got hacked. Sensitive information was compromised because of this. The cause was attributed to malware in third party applications offered by a vendor administering the online course. While the PII was not exposed, user IDs and passwords, college emails, gender, and race were made public.

In another incident, California Virtual Academies (CAVA) informed its registered users in December 2015 that their data storage system was exposed as a result of data breach. CAVA, within hours, was able to locate the vulnerability and contain it by securing the system. Users were still urged to check their personal accounts, change security settings online and familiarize themselves with information provided on credit and identity protection.

In January 2016, Southern New Hampshire University (SNHU) confirmed that due to a configuration error on part of a third party vendor, a database containing names, email addresses, IDs, course details, scores etc. had been exposed. About 140,000 students had been affected due to the breach. Since SNHU claimed to have 70,000 enrollments, it was understood that the records either had been duplicated or both former as well as current students had been affected. The investigation is still ongoing.

In February 2016, University of Florida reported that as many as 63,000 records with PII were exposed to hackers. The records belonged to former and current students as well as staff members. The management also notified that credit card information, other financial data and health records were not comprised.

Conclusion

The above-mentioned incidents reinforce the vulnerability of the higher education sector. Tighter regulations and comprehensive data loss prevention solutions are thus deemed as a necessity in this sector.

Higher Education: Prevent Data Loss, Act Now

In our previous post, we saw why higher education is highly susceptible to data beaches. The sector is a significant source of Personally Identifiable Information (PII), which can easily be breached given lack of uniform regulations and proper cybersecurity measures. One of the largest breaches in higher education has been at the University of Maryland in 2015, when 300,000 records with sensitive data including social security numbers were exposed.

In this blog, we have used research findings from some prominent studies to illuminate the fact that data loss is a big threat in higher education.

The Ponemon Institute, an independent research company on data security, has determined that the average cost of a cybercrime in education is $3.89 million annually; And the number of records exposed due to breaches is nearly 316,000 for year till date!

In a recent study conducted by the Center for Digital Education, the key concerns of IT leaders in higher education were analyzed and the following conclusions were derived:

  • 72% said that they were concerned about rampant data breaches
  • 73% said that cybersecurity is a high priority
  • 70% said that spam and phishing will be the main threats for data loss

Recently, education institutes have started implementing a number of measures to thwart the rising threat of data breaches. Some best practices being followed in this sector are summarized as follows:

  • Tactics, Techniques, and Procedures (TTP) Analysis

Studying the tactics, techniques and procedures used by hackers gives a great insight into the world of unauthorized access and helps understand the 4 Ws – who are these people, why are they hacking, what are they after and what procedures they are deploying to harness the information.

  • Willingness to Report Incident

Willingness to come forward and share the breach incident with other institutes helps in reducing the incidents.  The EDUCAUSE Center for Analysis and Research (ECAR) has come up with studies to prove that alerting higher education leaders and IT professionals about an incident lowers the risk of a repeat incident at same or another location. IT leaders at these institutes can collectively come up with methods to prevent similar future breaches.

  • Incident Response Plan Implementation

Drawing up an efficient incident response plan helps in mitigating and containing the aftermath is a best practice. This is very important for the reputation of the institute. Having a robust plan, in sync with what needs to be done, specifying the roles, whom to contact, what to expect is a smart countermeasure.

 Conferences for Knowledge Sharing

Many institutes like Dartmouth conduct annual conferences where peers discuss best practices being followed for data loss prevention. In the process, institutes mutually gain the knowledge to avoid and deal with data loss incidents. Dartmouth has implemented both knowledge-based authentication (KBA) and two-factor authentication (2FA) that sets an example of cybersecurity measures other institutes could follow.

Safeguarding the “present” of our students will lead the way to a secure future for them. Act now, else face the threat of data loss.

Higher Education in the Hit List for Data Breaches

The perception that education institutes are less likely to fall prey to expensive data breaches is very much misleading. Higher education is one of the most susceptible segments, accounting for 35% of all breaches in education. In 2015, many leading universities such as Pennsylvania State University (PSU), Washington State University, Harvard University, Johns Hopkins University, the University of Virginia (UVA) and the University of Connecticut faced cyberattacks that were considerably damaging.

This post explores 7 key factors that have resulted in higher education becoming a hot bed for data breaches.

  1. Enrollment of high numbers of students every semester. While this is a very positive trend, it also means that there is a very high volume of data moving around electronically. Institutes that do not have adequate security measures in place or lack proper risk mitigation plans are welcome grounds for data breaches.
  1. Unlimited exchange of data between departments. At times, complete bio-demographic details of students are released instead of providing just the required amount of information. It is therefore vital that institutes have policies in place that define who has access over what kind of information and in what formats can that information be released.
  1. High usage of mobile devices. According to a study by Pearson, nearly 86% of college students use smartphones regularly. The devices are used for storing anything from personal information to research data. With unrestricted exchange of information on mobile devices, college campuses are breeding grounds for intentional as well as unintentional data beaches.
  1. Higher institutes store the brainpower behind costly technical know-hows and inventions. Universities support extensive research subjects in the areas of Sciences and Engineering. Students, professors and research fellows receive millions of unsolicited requests for sensitive information. Theft of expensive technical know-how, hiring of people within the education system for espionage, intrusion of student immigration program for disruptive purposes – are all growing concerns. Breaching of firewalls by hackers, insiders, as well as foreign infiltrators is simple, if adequate data loss prevention measures are not in place.
  1. Lack of access policies and faculty training. Institutes that lack proper rules or regulations related to exchange of data are at higher risk. It is vital that IT leaders emphasize on the need for end-to-end encryption and faculty training, so access-based policies can be implemented.
  1. Lack of awareness. Students are often unaware of phishing attacks and other data breaches that they may partake in unintentionally. Workshops around these issues can minimize the loss of data through their smartphones and tablets.
  1. Reluctance to report breaches. Reluctance by universities to report breaches results in failure to take proper action on time. A pro-active plan – tested and implemented – to deal with post-incident situations can go a long way in reducing losses in the event of an actual breach.

The higher education sector presents unlimited threats related to data breaches. Without proper security implementation, the threat could spiral out of control, turning an actual incident into a very expensive and stressful aftermath cleaning process.

2016: Data Breach Statistics*, Year until 02/23/2016

*The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

1.7 Million Records Already Breached within Just Two Months of 2016

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted during the first two months of 2016. The excerpts below only provide a glimpse of some of these incidents – the list goes on.

Government

2 February, 2016 – Washington State Health Authority (HCA) has notified that 91,000 records of Apple Health (Medicaid) clients were accessed without any authorization by an employee. Social Security numbers, dates of birth, Apple health client ID numbers and private health information was passed to another state agency’s employee. After internal investigation, it has been established that the classified information did not get beyond these two employees. However, as a precaution free year-long credit monitoring has been offered to the affected people. Both the employees have been fired since the incident came to light.

Source:  King 5 News

26 January, 2016 – The County of San Diego has confirmed that the classified records of all the employees were accidently sent to Wells Fargo as opposed to only those that are set up for Health Savings Accounts with the latter. The County and Wells Fargo are working together to delete unwanted records. A free year-long credit monitoring has been offered to the affected people. The breach is being deemed as an accidental error due to incorrect program code for data transfer by Hewlett- Packard Enterprise Services.

Source: California Attorney General, SC Magazine

Healthcare

25 January, 2016 – Health Equity has informed that an employee sent an email containing personal information including Social Security numbers of its clients to one of their business partners by error. An unknown number of people have been affected and are being given a year of free credit monitoring.

Source: California Attorney General

Education

5 January, 2016 – Southern New Hampshire University (SNHU) has confirmed that due to a configuration error, on part of a third party vendor, the database containing names, email addresses, IDs, course details, scores etc. of its students has been exposed. Reports show that about 140,000 students have been affected due to the breach even though the university has only 70,000 enrollments. It is believed that the discrepancy in numbers may mean that both former and current students have been affected. The investigation is still ongoing.

Source: CSO Online

Zecurion’s Annual Review: 2015 Data Breach Statistics

 

*The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

As we step into 2016, let’s look at the cost of data breach in 2015 and the trends that have impacted it.

Human Error Causes 19% of Data Breaches

Though malicious or criminal attacks pose as the main contributing factor for data breaches – almost 49%, yet negligent employees are responsible for an exorbitant 19% of the breaches, and 32% involved system glitches that includes both IT and business process failures.

Average Cost of Breached Record is $217

The average cost per lost or stolen record containing sensitive data is $217 for 2015. There has been a substantial increase of $16 per record breached in comparison to year 2014 which is close to an 8% increase. The average cost of $217 consists of $74 towards direct per capita cost and the remaining $143 towards indirect per capita cost. Direct costs are the costs that the companies spend to minimize the consequences of a data breach and to assist victims. Indirect costs pertain to what the companies spend on existing internal resources to deal with the data breach.

Higher than Average Data Breach Cost for Healthcare, Pharmaceutical, Financial, Energy, Transportation, Communications and Education

 

Some industrial sectors such as healthcare, pharmaceutical, financial, energy, and transportation, communications and education are more prone to the breaches and thus have higher data breach costs. They tend to have a per capita data breach cost more than the mean of $217. On the contrary, public sector (government), hospitality and research have a per capita cost well below the overall mean value.

Average Cost per Organization is $4.7 Mn to $11.9 Mn, Depending on Number of Records Breached

The number of breached records per incident in 2015 ranged from 5,655 to 96,550 records. The average number of breached records was 28,070. As the number of lost records increases, so does the cost of data breaches. In 2015, companies that had data breaches involving less than 10,000 records had an average cost of data breach of $4.7 million and the ones with the loss of more than 50,000 records had a cost of data breach of $11.9 million.

Among the number of factors that contribute to increased lost business costs, the significant ones are loss of business, legal services, investigation & forensics, increased customer acquisition activities and diminished goodwill.  In order to reduce the cost of data breaches, businesses need to make proactive decisions and make worthwhile investments in various strategies, key being setting up an incident response plan, implementing data loss prevention solutions, planning for business continuity and its management, appointing CISO with enterprise-wide responsibility and investing in employee training.

2015: Data Breach Stats*, Year until 11/24/2015

 

*The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

No Sector Left Behind – Confidential Data Loss Threat Looms in Some of the Other Forms

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted in the months of September to November of 2015. The excerpts below only provide a glimpse of some of these incidents.

Financial and Insurance Services

2 October 2015 – Schwab Retirement Plan Services Inc. (SRPS), California, notified customers of a data breach that occurred when an email having social security numbers, names, addresses, dates of birth, dates of termination, employment status, division code, marital status and account balance was accidently sent to a participant in another retirement plan serviced by SRPS.

Source: California Attorney General

25 September 2015Bed Bath and Beyond notified customers of a data breach at their New York City location. The breaches happened between March 7 and August 3, 2015, and involved a cashier. The employee has since been removed from the store and customers have been asked to contact their banks for possible credit card theft.

Source: Vermont Attorney General

25 September 2015Blue Cross BlueShield of North Carolina notified customers of two data breach incidents. In the first one, one member’s billing invoice information was being printed on the back of another member’s invoice. The information revealed names, addresses, internal BCBSNC account numbers, group numbers, coverage dates and premium amounts. The second breach happened when payment letters included incorrect information and were sent to the wrong members. This information exposed the type of health plan purchased, effective dates, health insurance marketplace identification numbers, payment amounts, telephone numbers and payment identification numbers.

Source: Health IT Security

 

Healthcare

26 October 2015 – Emergence Health Network notified their patients that the company’s server has been accessed without any authorization. EHN hired the services of a third party vendor to conduct an audit on the server and to find out if the breach affected its 11,100 records. Based on the audit, it was not immediately apparent of any confidential information had been accessed or misused.

Source:  Department of Health and Human Services

3 October 2015 – Sentara Heart Hospital, Virginia, notified patients that two portable hard drives containing information such as birthdates, names, diagnoses, types of procedures and other clinical notes was stolen on the weekend of August 14, 2015. About 1,040 records have been affected by this theft.

Source: Pilotonline.com

 

Education

6 October 2015 – The Lake Norman High School, California, notified its students of a beach when one of its students obtained an administrative password and accessed school without authorization. Seven students have been charged by the Iredell County Sheriff’s Office in this regard.  It has been reported that no personal data, testing or grades were accessed. Since then, the school has taken corrective measures to secure the computer system.

Source: Statesville.com

 

Government

18 November 2015 – The Georgia Secretary of State, Brian Kemps office is being sued by two Georgia women who claim that the Secretary’s office released personal information that involves 6 million Georgia voters. 2 separate entities received the files due to a clerical error and included drivers license information, Social Security numbers and dates of birth. According to the lawsuit, Mr. Kemps office never notified individuals regarding the breach, nor did they contact the consumer reporting agencies.

Source: AJC.com

22 October 2015The Juvenile Division of the Clerk of Courts of Osceola in Florida erroneously displayed information of juveniles charged in court cases on its official website. Not only were their names displayed, but also their foster system was exposed online via the e-file system. Authorities are investigating the breach and trying to fix the problem. An unknown number of records have been affected because of this.

Source: WFTV Channel

9 October 2015 – The Vacaville Housing Authority (VHA) notified individuals that one of their employees unintentionally sent an email to one person with an attachment containing names and social security numbers of their customers. The person immediately informed the VHA authorities who in turn deleted the email from this person’s computer. As a precaution, VHA has offered free credit monitoring service to the affected customers for 12 months.

Source: California Attorney General

 

Transportation

04 November 2015 – Avis Budget Group notified customers of a data breach when the third-party provider that manages their open enrollment process accidentally sent a file to another company that is also their client. The information exposed included names, addresses and Social Security numbers.

Source: California Attorney General

13 October 2015 – Uber’s new app “Uber partner” had a glitch that resulted in a data leak affecting nearly 674 US drivers. The data, exposed for a few hours, included taxi certification forms, driver licenses and W-9 forms with Social Security numbers for cab companies. According to Uber, the data was only visible to logged-in drivers who went to their documents page. Since then, Uber has fixed the issue.

Source: California Attorney General

After the Breach – Do You Have a Proactive Response and Recovery Plan?

Steps to Better Prepare an Educational Institute to Manage a Data Breach

April 22, 2015 – Last week, we shared statistics from numerous studies to reinforce the importance of data loss prevention in the education sector. Today, we will go a step further and share a valuable, yet a simple strategy that can easily be implemented should such an incident happen.

With the increase in amount of student data stored and increased digitization of information, educational institutes have become more vulnerable to data threats. It is expected that most of the institutes will see a data breach at some point of time and should be prepared with a response and recovery plan for better incident management.

 

school lockers-94959_1280Zecurion’s Anthony Servidio Jr., VP Business Development for North America, says, “The potential impact of a data breach on a student’s
future is immeasurable. For example, leakage and potential misuse of social security numbers could result in not just the inability to get an education loan approved, but also profound mental and emotional stress at a very young age causing behavioral changes.”

 

Below is a suggested response and recovery plan so educational institutions are better prepared for incident management:

Assemble Incident Response (IR) Team: The response team should include top management including the Principal, Chancellor, PR Manager, IT Manager and anyone else who can contribute to issue resolution.

Identify What Has Been Impacted: Verify if the incident has actually happened and if the answer is yes, identify what has been compromised, how, and what the anticipated loss is. In most of the cases, the data breach happens through a combination of people, processes and technology.

Data Exposure Assessment: It is important to assess the data compromised and components of the data including names, addresses, telephone numbers, social security numbers and financial aid. As the first step, it is crucial to identify what all data is stored in the current systems and the second step is to classify the data as per their criticality. Even the identification and removal of unnecessary data lessens the burden on the system and helps to organize and improve data security.

Damage Control: Once the type and scope of data exposed is determined, it should be immediately resolved by deleting the shared email, destroying the copies, or whatever is possible. After that, steps should be taken to reduce the exposure of the impacted data for repeat threat.

Response Plan: The response team should create a proper response plan as the reputation and branding of the institute gets directly impacted by the amount of response time taken after the breach detection. If required, the impacted individuals should be informed about it including source of the breach, emergency point of contact, means to resolve their queries and compensation, if required. It is also mandatory in some states to inform governing authorities about data breaches as part of the Federal Law.

Act Now: Identify the lessons learnt from the incident and take necessary actions on immediate basis to avoid such situations from happening again in future, including implementation of various data loss prevention tools.

While the institute may have to spend time, money and effort in diagnosing and taking preventive measures for enhancing data security, any proactive measure taken will help in preventing future financial loss as well as the loss of reputation and trust.

Sources: Ellucian, WindowsIT Pro, SANS Institute

Why Is Proactive Data Loss Prevention So Important?

Per Capita Cost for Data Breaches in the Education Sector is One of the Highest

Did you know that the per capita cost for data breaches in the education sector is one of the highest? And that the impact of a data breach in schools is on the higher side as compared to the colleges, as the former accounts for more than 66 percent of total per capita spending on education?

Many small schools have a lot of data but a limited capacity to deal with huge sets of data. The systems in place are generally based on open architecture for easy access of information between students, teachers and administrative staff. This makes it more imperative to have a sophisticated data loss prevention tool to prevent data breaches from happening as a result of human error or by accident. Below are some of the key statistics, compiled from various organizations to give an insight on the impact of data breaches on the education sector. school-desks-305953_1280

  1. Education sector’s per capita costs for data breaches, as reported by Ponemon in May 2014, is $259 which is the third highest per capita cost after healthcare ($316) and transportation ($286). This cost is substantially above than the overall mean of all industries i.e. $201. These include breaches caused by criminal attack, system glitch and human error.
  1. The probability of data breach involving more than 10,000 records for the education sector is expected to be 0.211. Public and retail companies are more vulnerable to breaches followed by educational institutes as per the Ponemon report.
  1. Approximately one third of a total data breaches reported by colleges and institutions, from 2005-2013, can be attributed to intentional or unintentional data leakage by employee or associated personnel, as reported by EDUCAUSE Center for Analysis and Research (ECAR).
  1. The education sector has witnessed 727 breaches as per Privacy Rights Clearinghouse (PRC) database from 2005-2014. Out of this, 73 percent of breaches have known impacted records data totaling 14.5 million records with an average of 27,509 records per breach whereas the impact of compromised data is not known for the remaining 27 percent of data breaches.
  1. It is the only sector with the second largest number of data breaches from 2005-2014 whereas the number of records exposed is the lowest (approximately 1 percent of total records exposed). This can be attributed to non-reporting or wrong reporting of breach cases by institutes to safeguard their reputation and branding.
  1. As per the survey conducted by Halock last year, more than 50% of the institutes surveyed allowed data access over unencrypted and unprotected email environment. The lack of proper data loss prevention solution can be considered as the major factor of data breaches over such unsecured networks.

Sources: US Government Spending, EDUCAUSE Center for Analysis and Research (ECAR), Capital News, Privacy Rights Clearinghouse (PRC), Ponemon Institute