The March Madness bracket feared by every campus IT official

UCLA still has the worst campus data breach ever recorded.

March Madness has yet to tip off, and Virginia Commonwealth University (VCU) has already won a championship. This run through the NCAA Tournament brackets, however, won’t end with campus celebrations, especially in VCU’s IT department.

VCU, a 32,000-student campus in Richmond, Va., that came up one game short of the 2011 NCAA Tournament championship game in its improbable path to the Final Four last spring took home a less glamorous prize March 12, when the university was named the winner of the 2012 Higher Education Data Breach Madness tournament.

Application Security, a database security company based in New York, released a bracket filled with colleges and universities that reported the worst database breaches from the previous year. All 48 higher-education data incidents were mentioned in the bracket, and 16 schools were given bye-rounds.

Read more about IT security in higher education…

‘Socialbots’ pose IT security threat on campus

Yale Social Security numbers exposed in latest case of ‘Google hacking’

VCU breezed through Application Security’s Data Breach Madness tournament thanks to a November data security breach that led to the exposure of more than 176,000 student and employee records. VCU was the 21st campus to report a data breach involving more than 100,000 records since data incidents were first recorded in 2005.

The 10 files on a VCU campus server that was hacked last fall included dates of birth, contact information, names, online identification numbers, Social Security numbers, and various programmatic and departmental information, according to a VCU announcement.

In a statement, the university said an investigation into the data breach was “unable to determine with 100 percent certainty that the intruders did not access or copy the files in question,” but the likelihood that student and employee information was accessed “is very low.”

Mark Willis, VCU’s chief information officer, answered frequently asked students questions in a 12-minute video response posted to the school’s website shortly after the database breach was made public.

Willis said hackers had found their way into the campus’s computer infrastructure, established a few files on a server, and used it “as a platform to scan for other vulnerable machines on the internet” and launch botnets that search for “infected or vulnerable” machines across the web.

The Data Breach Madness Final Four included VCU, the University of Wisconsin Milwaukee (UWM), Yale University, and the University of South Carolina (USC).

Alex Rothacker, director of research for Application Security, said colleges and universities will always be a target for hackers in large part because many campuses don’t have a centralized IT operation with one spelled-out database security policy.

“Not having one body that really is aware of all the security aspects of a college is a disadvantage for [higher education,” he said. “All [departments] aren’t complying with one set of policies that have been laid out.”

Hackers sometimes impersonate authorized users of a campus network, allowing access to digital treasure troves of Social Security numbers, birth dates, grades, and contact information, according to an Applications Security report.

Network attackers also have been known to manipulate logs and hide their illegal activity

However alarming, college data breaches since last spring have fallen to the lowest levels since data security has been tracked by websites like Privacy Rights Clearinghouse.

There were 480,000 student and employee records breached in higher education in 2011, less than one-fourth of the 2010 total of 1.7 million compromised records. 2005 had the highest total of campus records breached with 1.9 million.

No school from this year’s Data Breach Madness made the list of all-time information breaches. The record still belongs to the University of California Los Angeles (UCLA), which, in 2006, reported a breach that exposed 800,000 records. Ohio State University (OSU) had the second-worst data breach, with a 2010 incident that involved 750,000 students, faculty, alums, and campus employees.

Firewalls that protect the perimeter of a college’s database have become commonplace in higher education, Rothacker said, but investing in security technology that tracks any and all activity within a database filled with personal information isn’t used on many U.S. campuses.

“Activity monitoring is at a relatively young stage,” Rothacker said. “But I think colleges see that there’s major value in this because they’re getting much better at protecting their records.”

Sign up for our newsletter

Newsletter: Innovations in K12 Education
By submitting your information, you agree to our Terms & Conditions and Privacy Policy.