“Scope alone is a reason for alarm, but I’m more concerned about the difficulty of the attack itself,” he said.
UN’s student information system, a $29 million system based on Oracle’s PeopleSoft Enterprise Campus Solution, manages the school’s course registration, campus housing, and student admissions.
UN officials said encryption probably did not protect the personal information of 650,000 people exposed during the cyber attack.
“The legal investigation into this week’s security breach is still in progress, so we cannot yet comment on the details of this particular incident,” the university said in its announcement. “However, we are confident that the type of attack we experienced would have bypassed any encryption that was in place.”
Shaul said colleges and universities should be as wary of on-campus IT dangers as they are about outside cyber attacks.
“In the world of data breaches, it’s not uncommon to deal with the insider threat,” he said. “Any crime is more difficult and painful when it is perpetrated by someone you know or trust. The relationship between a university and its student body, specifically as that relationship relates to information security, has long been a rocky one.”
The UN security breach is one of more than 30 education-related breaches in 2012, according to statistics from the Privacy Rights Clearinghouse.
Most higher-education hacks have exposed a fraction of the records involved in the UN data breach. Arizona State University (ASU), however, had 300,000 records hacked in January, although no Social Security numbers were involved.