What universities need to know about the Heartbleed bug

Heartbleed security flaw, university data breaches have administrators on edge

heartbleed-campus-securityThe Heartbleed bug, a serious security flaw found earlier this month in the encryption software used by most secure websites, has many organizations scrambling to fix the issue — including universities.

The University of Nebraska-Lincoln announced that it was scanning all of the university’s networks for any Heartbleed vulnerabilities. Vanderbilt University announced it was doing the same, as did Stony Brook University, and the University of Texas, among others.

Speaking with a student newspaper last week, Cam Beasley, chief information security officer at the University of Texas, sought to calm student nerves.

“[There is] no real risk to students using central IT services, but it is possible that various Internet services they use could have experienced some exposure depending on if they were vulnerable and how long they took to patch systems,” Cam Beasley, the chief information security officer at the University of Texas, told the Daily Texan. “Several systems were patched once the update became available, but no critical services were exposed.”

At the University of Maryland, Ann G. Wylie, the interim vice president, said the bug did not affect many of the university’s systems, but that students, faculty, and staff should still be on alert.

“A little paranoia is warranted around this issue right now,” Wylie wrote in an email last week.

(Next page: Just how many higher education records have been at risk already this year?)

Wylie has good reason for being on edge about Heartbleed. Universities are struggling enough to keep data secure even without the bug.

The University of Maryland was the victim of a massive data breach earlier this year that compromised 287,580 records. Just four weeks later, another hacker accessed sensitive information of administrators, including the social security and phone numbers of Wallace Loh, the university’s president.

Earlier this month, a data breach at North Dakota University exposed nearly 300,000 records. In February, Indiana University realized it had left names, addresses, and social security numbers of 146,000 students and recent graduates exposed for 11 months.

Between these three universities, and in just the first three months of the year, nearly 750,000 higher education records have been put at risk.

At the current rate, data breaches can easily keep pace with last year, which saw more than 3 million records compromised.

Higher education networks are 300 percent more likely to contain malware than their enterprise and government counterparts, according to OpenDNS, an internet security company. And, in 2013, HALOCK Security Labs found that 25 percent of universities had put sensitive information at risk through using unencrypted emails.

“Universities need to get serious about securing their environment,” said Terry Kurzynski, a senior partner at HALOCK. “They need to be sure that they are following security standards, as well as the laws and regulations that require the protection of personal information.”

Kurzynsiki noted that the task can be easier said than done, however.

“Universities in general have limited budgets for information security, and therefore struggle to comply with the numerous laws and regulations regarding the data in their custody,” he said.

Follow Jake New on Twitter at @eCN_Jake.

Latest posts by Jake New (see all)