Computer hackers reportedly have stolen identifying information and credit card numbers from more than half a million — some 600,000 — college students, faculty, and alumni this year. This is prompting some campus IT officials to call for a "total overhaul" of computer security protocol.
Identity Theft 911, an Arizona-based company founded by consumer advocates and experts from the financial industry and law enforcement, released a report this month, called "America’s Universities: A Hacker’s Dream," which documents some of the largest recent computer security breaches on college campuses and discusses solutions for IT decision makers and students.
Twenty-seven American colleges and universities saw personal records stolen in the first seven months of 2009, and the report concludes that a "sprawling profusion" of disparate computer networks and servers–each with a different security policy–makes IT departments "powerless to enforce any standards," meaning student grades, credit information, and Security Social numbers remain vulnerable.
Challenge of decentralization
Adam Levin, chairman and cofounder of Identity Theft 911, said colleges’ decentralized IT systems combined with an open network are "a recipe for the disaster we’ve experienced." Thousands of students connected to online social networks and file-sharing web sites endanger the entire IT infrastructure, Levin said.
"When you’re downloading Madonna, you could also be downloading" malware that could spread throughout a campus IT network, he said.
Campus IT officials said school networks often are vulnerable because thousands of students and faculty access the networks every day using their laptops or other personal mobile devices.
"Many of those we don’t own, we don’t have any management responsibility for them, and yet they do introduce problems we have to deal with," said Robert Ono, the director of technology security for the University of California at Davis. Ono said 35,000 computers connect to the campus’s network every day.
Gaps in campus security policy could be filled, according to the report, by building a "unified, high-security firewall" that would protect electronic records in every department. Faculty members and alumni could choose to be included in the campus-wide firewall or be locked out, according to the report.
Centralizing campus computer networks would require categorization of personal information. In this scenario, data would be separated according to their level of sensitivity, the report says, adding that no one outside the university’s financial aid department would need to know a student’s Social Security number.
Action usually requires a crisis
How quickly this cumbersome process unfolds hinges on the severity of a security breach.
"The fast route usually starts with a serious breach, creating the political will necessary to get serious about security," the report says. Notre Dame University spent $4.6 million on security consultants and updated its network hardware after a 2006 hack exposed sensitive information about faculty and donors.
"The fact that we were responding to a crisis," said David Seidl, Notre Dame’s director of information security, "proved to be enormously helpful in getting support."
Identity Theft 911’s report includes a list of the largest security breaches in higher education this decade. The University of Miami’s 2008 breach, in which 2.1 million records were stolen, remains at the top of the list, and the University of California, Berkeley’s 180,000 stolen records is the only security incident from 2009 on the top-10 list.
More than 6.6 million personal records have been hacked in 435 incidences at colleges and universities since 2005, according to the Identity Theft Resource Center, an organization that recommends strategies for securing personal information.
Repeated IT breaches have cost technology officials and professors their jobs this decade. Two Ohio University IT employees were fired in 2006 after five separate security breaches that exposed hundreds of thousands of student files. The school’s CIO later resigned. In 2007, a Western Oregon University journalism professor was fired when officials discovered he did not secure a computer file containing his students’ names, grades, and Social Security numbers.
Some schools, such as Binghamton University in New York, have seen identity protection failures publicized several times in recent months. A Binghamton student in March found an unlocked room full of parents’ tax documents, and a photographer from a local news radio station took pictures of the exposed documents and posted them on a web site, redacting sensitive information. Just one month later, Social Security documents were found in a dumpster outside the university’s library. Thousands of Binghamton students signed a petition for the school to fire its information security director.
The recent spate of campus computer network breaches, Levin said, could make colleges vulnerable to legal action by students, faculty, alumni, or donors whose personal information has been stolen.
"I think people are getting sufficiently terrified about what they’re seeing," he said. "Someday, somewhere, someone is going to go after a university [legally]."
Identity Theft 911