A Montreal student was expelled in fall 2012 after discovering a security flaw in his college’s computer system – a flaw, he said, that could have easily exposed the data of thousands of students.
At first, Hamed Al-Khabaz said he didn’t realize the seriousness of his actions.
He thought he was helping, he said, by following up on a hole he had previously reported to his college. But then the phone rang. The president of Skytech Communications, the maker of the system called Omnivex, was on the line.
While the company decided against any criminal charges and even later offered Al-Khabaz a scholarship, the student was expelled from Dawson College soon after.
“Part of it just felt like it was a game, part of it felt like my duty because their security was poor,” he said. “And I could feel that it was poor while I was just screwing around in the system.”
One 20 year old just “screwing around” on a Friday night had managed to break into a system used by nearly 100 colleges and more than 200,000 students. The question might have occurred to campus IT officials: What could trained hackers with malicious intent do?
Records compromised by data breaches in higher education were already at a near all-time high that year, with Privacy Rights Clearinghouse reporting more than 2 million compromised. In 2013, the number was more than 3 million.
Ten percent of all data breaches in the United States were in the education sector, according to the Identity Theft Resource Center. As the Ponemon Institute and Symantec estimate the cost of education data at $142 per record, that’s a potential cost exceeding $425 million.
As 2014 begins, universities are bracing for another year of hacks, breaches, malware attacks.
“Universities have a unique challenge when it comes to data security,” said Cindy Bixler, the chief information officer at Embry-Riddle Aeronautical University. “We live in an environment of sharing knowledge and open collaboration while still maintaining a secure environment. I do believe universities are well aware of this challenge and have developed policies and procedures to address it, but it is not a static state.”
Higher education networks are 300 percent more likely to contain malware than their enterprise and government counterparts, according to OpenDNS, an internet security company.