Tag Archives: higher education

Top Breaches in Higher Education in 2015 -2016

In continuation to our series on data loss in higher education sector, this article identifies the top breaches that have taken place in institutes all around the country. These incidents are noteworthy because they spiked up awareness about higher education being a soft target for data breaches.

April 2015 saw one of the biggest breaches at Auburn University where about 360,000 people had their social security numbers exposed online publicly. These people were not even registered/ enrolled students of the university but were either applicants or prospective students.

In May of 2015, when the breach was discovered at Penn State University, it had already affected 18,000 records. It was found that the unauthorized access had started way back in 2012 at the College of Engineering and had gone unnoticed till 2015. The alarming issue here is that it took 3 years to detect the breach and the network had to be disabled for 3 full days, significantly affecting continuity of work.

June of 2015 saw another breach at Penn State University. This time, the College of Liberal Arts, came under attack for unlawful access.

A similar breach took place at University of Connecticut in July 2015. The servers were hacked by unauthorized users from China beginning 2013. About 1,800 user credentials were exposed though it was never confirmed if any intellectual data was compromised. During the investigation, malicious hardware was found on the servers.

University of Virginia notified in August 2015 that there was a cyber attack originating from China, resulting in the University reinforcing protection of its network against future breaches. Although no PII was stolen, people quickly became aware of the inherent risk that large institutes face because of lack of adequate data loss prevention measures.

In September 2015, at least 80,000 records of students enrolled in an online course at Cal State got hacked. Sensitive information was compromised because of this. The cause was attributed to malware in third party applications offered by a vendor administering the online course. While the PII was not exposed, user IDs and passwords, college emails, gender, and race were made public.

In another incident, California Virtual Academies (CAVA) informed its registered users in December 2015 that their data storage system was exposed as a result of data breach. CAVA, within hours, was able to locate the vulnerability and contain it by securing the system. Users were still urged to check their personal accounts, change security settings online and familiarize themselves with information provided on credit and identity protection.

In January 2016, Southern New Hampshire University (SNHU) confirmed that due to a configuration error on part of a third party vendor, a database containing names, email addresses, IDs, course details, scores etc. had been exposed. About 140,000 students had been affected due to the breach. Since SNHU claimed to have 70,000 enrollments, it was understood that the records either had been duplicated or both former as well as current students had been affected. The investigation is still ongoing.

In February 2016, University of Florida reported that as many as 63,000 records with PII were exposed to hackers. The records belonged to former and current students as well as staff members. The management also notified that credit card information, other financial data and health records were not comprised.

Conclusion

The above-mentioned incidents reinforce the vulnerability of the higher education sector. Tighter regulations and comprehensive data loss prevention solutions are thus deemed as a necessity in this sector.

Higher Education in the Hit List for Data Breaches

The perception that education institutes are less likely to fall prey to expensive data breaches is very much misleading. Higher education is one of the most susceptible segments, accounting for 35% of all breaches in education. In 2015, many leading universities such as Pennsylvania State University (PSU), Washington State University, Harvard University, Johns Hopkins University, the University of Virginia (UVA) and the University of Connecticut faced cyberattacks that were considerably damaging.

This post explores 7 key factors that have resulted in higher education becoming a hot bed for data breaches.

  1. Enrollment of high numbers of students every semester. While this is a very positive trend, it also means that there is a very high volume of data moving around electronically. Institutes that do not have adequate security measures in place or lack proper risk mitigation plans are welcome grounds for data breaches.
  1. Unlimited exchange of data between departments. At times, complete bio-demographic details of students are released instead of providing just the required amount of information. It is therefore vital that institutes have policies in place that define who has access over what kind of information and in what formats can that information be released.
  1. High usage of mobile devices. According to a study by Pearson, nearly 86% of college students use smartphones regularly. The devices are used for storing anything from personal information to research data. With unrestricted exchange of information on mobile devices, college campuses are breeding grounds for intentional as well as unintentional data beaches.
  1. Higher institutes store the brainpower behind costly technical know-hows and inventions. Universities support extensive research subjects in the areas of Sciences and Engineering. Students, professors and research fellows receive millions of unsolicited requests for sensitive information. Theft of expensive technical know-how, hiring of people within the education system for espionage, intrusion of student immigration program for disruptive purposes – are all growing concerns. Breaching of firewalls by hackers, insiders, as well as foreign infiltrators is simple, if adequate data loss prevention measures are not in place.
  1. Lack of access policies and faculty training. Institutes that lack proper rules or regulations related to exchange of data are at higher risk. It is vital that IT leaders emphasize on the need for end-to-end encryption and faculty training, so access-based policies can be implemented.
  1. Lack of awareness. Students are often unaware of phishing attacks and other data breaches that they may partake in unintentionally. Workshops around these issues can minimize the loss of data through their smartphones and tablets.
  1. Reluctance to report breaches. Reluctance by universities to report breaches results in failure to take proper action on time. A pro-active plan – tested and implemented – to deal with post-incident situations can go a long way in reducing losses in the event of an actual breach.

The higher education sector presents unlimited threats related to data breaches. Without proper security implementation, the threat could spiral out of control, turning an actual incident into a very expensive and stressful aftermath cleaning process.