What went very wrong in 2014; what are concerns for 2015?
According to various reports, including those from BreachLevelIndex.com, PrivacyRights.org, and Secure Computing, there were at least 154 data breaches in the U.S., .edu realm in 2014, and another 36 in .edu-related healthcare facilities.
It may not sound like a shocking number at first blush, but within those breaches, there were ultimately 2,608,038 known records exposed with the number of records compromised ranging from a single record to over 309,000. These records were compromised in a variety of ways; some were accidentally released, others the result of malicious insiders or outsiders.
By way of scale: BreachLevelIndex.com reports 1450 worldwide breaches overall in 2014, comprising at least 974,801,829 records. Surely there’s duplication – for example, it’s likely that some of the same credit card info was exposed in the Target and Home Depot breaches – but in the case of .edu and .edu-related healthcare, the chances for overlap are significantly reduced.
Regardless, the raw stats suggest that .edu and .edu-related healthcare accounted for 13.10 percent of known breaches, but only 0.27 percent of the breached records. That discrepancy is in large measure due to those few breaches in 2014 where millions of records were exposed.
There are other cases where the breaches have not yet been reported; indeed, there are probably many that have not yet been discovered: consider these numbers to be conservative lower bounds.
What are the costs?
In some cases, financial penalties were assessed (for healthcare facilities: HIPAA violations are expensive!), victims filed lawsuits, and of course there were the costs of the investigations, often involving external forensics experts. In many cases, the compromised institutions pay the cost of credit monitoring for victims.
In The Chronicle of Higher Education, Paul Nikhinson of the Beazley Group, which sells cybersecurity insurance to colleges, estimates overall costs of 2014’s University of Maryland breach: “My very conservative estimate would be a couple million dollars.” Costs vary, of course, but according to BusinessIDTheft.org, “Credit monitoring services may cost between $8 and $30 per person per month”, and identity theft protection, if offered, is yet another cost.
These are conservative estimates: a Ponemon report shows international breaches in 2013 averaged, per record, $145 — but the costs were $201 for US, $294 for .edu, and $359 for healthcare. And let’s not even think about the loss of charitable contributions by alumni – victims or not! Perhaps the greatest cost – intangible though it may be – is the reputation and prestige of the institution. Unlike choosing a credit card or local bank, students (and parents) may select from hundreds of competing options when choosing where to pursue a secondary education. Part of the “College Selection Equation” may become “If we send Junior to University of X, might we end up paying even more due to identity theft than for tuition and associated costs?” While we cannot know the number of actual people whose records were compromised, the fact is that those individuals were put at risk, and that alone has a cost to the institutions that suffered the breaches.
(Next page: How can this be mitigated?)