There have been more than 30 security breaches in higher education this year.

The hacking of information on more than 650,000 University of Nebraska (UN) students, alumni, parents, and employees—which ranks among higher education’s largest data breaches—had the markings of an amateur job.

The university announced last week that the school’s student information system was hacked, possibly revealing the Social Security numbers, financial aid data, birth dates, course grades, and home addresses of University of Nebraska-Lincoln, the University of Nebraska at Omaha, the University of Nebraska Kearney, the University of Nebraska Medical Center and the Nebraska College of Technical Agriculture stakeholders dating back to 1985.

UN officials said the centralized information system was exposed for hours before an IT staffer discovered the breach. Since then, UN police have seized computers and electronic equipment from an undergraduate student who might be connected to the data breach.

As of press time, no charges have been filed against the student, who was tracked down through his or her IP address.

Read more about data breaches in higher education…

The March Madness bracket feared by every campus IT official

‘Socialbots’ pose IT security threat on campuses

Analysts are combing the computer equipment for forensic evidence, according to a website launched by the university in response to the security breach and the subsequent public outcry.

This breach, however, likely wasn’t the work of seasoned hackers sneaking their way into a well-guarded university database, IT security experts said, raising concern about the university’s safeguards against even the most basic attacks.

Josh Shaul, chief technology officer at New York-based database security company Application Security Inc., said the campus police revelation that the undergraduate student didn’t successfully hide his or her computer’s IP address shows that the attack was less than sophisticated.

“That’s the ultimate rookie mistake,” Shaul said. “I figure someone [who] can’t hide his IP address probably can’t hack his way out of a paper bag. Was the database that got popped ever even secured beyond the default settings?”

UN, in its detailed announcement of the security breach and its aftermath, described the incident as a “skilled attack.”

Even the most cautious campuses using up-to-date database security programs are vulnerable to attacks from complex networks of botnets or experienced hackers, Shaul said. When an inexperienced cyber attacker hacks a student information system, students, faculty, parents, and alums should be concerned.

“Scope alone is a reason for alarm, but I’m more concerned about the difficulty of the attack itself,” he said.

UN’s student information system, a $29 million system based on Oracle’s PeopleSoft Enterprise Campus Solution, manages the school’s course registration, campus housing, and student admissions.

UN officials said encryption probably did not protect the personal information of 650,000 people exposed during the cyber attack.

“The legal investigation into this week’s security breach is still in progress, so we cannot yet comment on the details of this particular incident,” the university said in its announcement. “However, we are confident that the type of attack we experienced would have bypassed any encryption that was in place.”

Shaul said colleges and universities should be as wary of on-campus IT dangers as they are about outside cyber attacks.

“In the world of data breaches, it’s not uncommon to deal with the insider threat,” he said. “Any crime is more difficult and painful when it is perpetrated by someone you know or trust. The relationship between a university and its student body, specifically as that relationship relates to information security, has long been a rocky one.”

The UN security breach is one of more than 30 education-related breaches in 2012, according to statistics from the Privacy Rights Clearinghouse.

Most higher-education hacks have exposed a fraction of the records involved in the UN data breach. Arizona State University (ASU), however, had 300,000 records hacked in January, although no Social Security numbers were involved.


Add your opinion to the discussion.