Earlier this spring, it was reported that Washington State University agreed to pay over $4.7 million to settle a lawsuit involving the breach of 1.2 million individuals’ confidential records. The settlement grabbed headlines likely for three reasons: a rare privacy and cybersecurity case involving a public university, the staggering figures in question in terms of both the settlement amount and alleged victims involved, and last but not least, the can-you-believe-what-happened circumstance that has since come to light behind the breach.
Related content: How to balance transparency and security in cybersecurity education
It is not everyday news to see a university involved in a cybersecurity breach. Yes, it happens likely more than we know, but it is not typically as dramatic in scale. Perhaps you would see a case where 50 faculty members from one department had their online access hacked by a student, or something similar, but rarely would it involve 1.2 million records. Most universities do not have one single database that contains millions of valid social security numbers, as is the case here.
One may say what transpired was also dramatic in terms of the actual breach event. Not dramatic by ways of car chases or state-sponsored transcontinental heists–quite the opposite actually–but rather it was gasp-inducing in terms of the recklessness involved, according to at least one legal expert interviewed. Missed opportunities to practice basic cybersecurity awareness were precursors for the breach that affected over a million people.