The Final Four no college wants to make


There have been 2.3 million records breached at colleges since 2008.

There’s a March Madness bracket out there that might cause nightmares for campus technologists everywhere. It ranks higher education’s worst security breaches, and a related report says things probably will get worse.

So while fans from VCU, Butler, Kentucky, and U-Conn celebrate a shot at the national title this weekend, IT officials from Ohio State University (OSU), Georgia’s Valdosta State University, Buena Vista University in Iowa, and the University of North Florida will see their school’s security blunders recognized as the worst in higher education in 2010.

On the strength of an October database breach that exposed personal information of 750,000 students, faculty, and alums, OSU won the 2010 Higher Education Data Breach Madness.

More on data security in higher education…

Campus Network Security Made Easy

The Data Breach Madness bracket, which began with campuses sporting the 64 worst data losses of last year, was released this week by Application Security, Inc., a database security company based in New York.

Runner-up Valdosta had 170,000 university records illegally accessed, Buena Vista had 93,000, and North Florida racked up 52,853 compromised records. The personally identifiable information stockpiled on campus servers includes names, addresses, credit card numbers, financial information, Social Security numbers, and healthcare records of employees, students, and their parents.

The University of North Carolina at Chapel Hill campus took home the Higher Education Data Breach Madness title in 2009, and the University of Florida College of Dentistry won in 2008.

OSU discovered the security lapse in late October and hired “the nation’s best computer forensic consultants” to search the school’s network and check what, if anything, had been taken from university records, according to a university statement.

In late November, the forensic consultants told OSU officials that “there was no evidence that any data were taken out of the system by unauthorized individuals,” according to the school’s statement. “The experts did find evidence that the purpose of the unauthorized access was to launch cyber attacks.”

A report published by the company’s researchers, known as TeamSHATTER, exposed some of the most common ways in which college networks are hacked.

More on data security in higher education…

Campus Network Security Made Easy

College and university information was exposed through vulnerability in a campus’s operating system or through obtaining valid login and password information by stealing, guessing, or the use of Trojan virus, according to the report.

Hackers would sometimes impersonate authorized users of a campus network, allowing access to digital treasure troves of Social Security numbers, birth dates, grades, and contact information. Network attackers also have been known to manipulate logs and hide their illegal activity, the TeamSHATTER report said.

Authors of the TeamSHATTER research pointed to campus culture as a possible culprit for 2.3 million records breached at colleges since 2008. The openness of informational exchange, researchers said, isn’t conducive to keeping sensitive information behind secure digital walls.

“The nature of higher ed is to foster an open academic environment, which is a nature at odds with the need to protect sensitive information and be mindful of security issues,” the report said. “Changing this nature requires a philosophical shift in the way these institutions view sensitive data.”

Alex Rothacker, director of security research for Application Security, said growing security threats have motivated campus IT departments to operate more like the private sector in recent years.

“Sensitive data is not something that’s part of the academic exchange,” he said. “Of course you want to have an exchange of ideas and knowledge, but most of these colleges are run like businesses to a large extent, and that’s a good thing.”

More on data security in higher education…

Campus Network Security Made Easy

Even with bolstered cyber security measures, Rothacker said, colleges will still have to fend off a growing number of network hackers who know the financial value of a campus database.

“A new focus might dampen that effect for a while,” he said. “But hackers have figured out how to make lots of money doing this … and there’s large organized crime behind this. They’re going to keep trying.”

That means college IT chiefs might be unaware of major attacks for months after they happen. The report mentions a Georgia campus whose “perimeter layer protections” were breached in December 2009. It wasn’t until February 2010 that officials discovered more than 170,000 records were illegally accessed.

Hackers target financial institutions more than higher education institutions, according to the report. In fact, college and university data breaches account for about one-fifth of all U.S. data losses every year.

The country’s economic downturn could be partly to blame for skyrocketing hacker attacks on colleges and universities. Only half of U.S. campuses said they would increase security spending in 2010, according to the report.

“In a world of constantly evolving threats, failure to increase database security will surely result in a higher volume of breaches,” the report said.

More on data security in higher education…

Campus Network Security Made Easy

Sign up for our newsletter

Newsletter: Innovations in K12 Education
By submitting your information, you agree to our Terms & Conditions and Privacy Policy.