A Montreal student was expelled in fall 2012 after discovering a security flaw in his college’s computer system – a flaw, he said, that could have easily exposed the data of thousands of students.
He thought he was helping, he said, by following up on a hole he had previously reported to his college. But then the phone rang. The president of Skytech Communications, the maker of the system called Omnivex, was on the line.
While the company decided against any criminal charges and even later offered Al-Khabaz a scholarship, the student was expelled from Dawson College soon after.
“Part of it just felt like it was a game, part of it felt like my duty because their security was poor,” he said. “And I could feel that it was poor while I was just screwing around in the system.”
One 20 year old just “screwing around” on a Friday night had managed to break into a system used by nearly 100 colleges and more than 200,000 students. The question might have occurred to campus IT officials: What could trained hackers with malicious intent do?
Records compromised by data breaches in higher education were already at a near all-time high that year, with Privacy Rights Clearinghouse reporting more than 2 million compromised. In 2013, the number was more than 3 million.
Ten percent of all data breaches in the United States were in the education sector, according to the Identity Theft Resource Center. As the Ponemon Institute and Symantec estimate the cost of education data at $142 per record, that’s a potential cost exceeding $425 million.
As 2014 begins, universities are bracing for another year of hacks, breaches, malware attacks.
“Universities have a unique challenge when it comes to data security,” said Cindy Bixler, the chief information officer at Embry-Riddle Aeronautical University. “We live in an environment of sharing knowledge and open collaboration while still maintaining a secure environment. I do believe universities are well aware of this challenge and have developed policies and procedures to address it, but it is not a static state.”
Higher education networks are 300 percent more likely to contain malware than their enterprise and government counterparts, according to OpenDNS, an internet security company.
More than half of colleges and universities transmit various kinds of sensitive information – including financial details – over unencrypted channels, according to a survey conducted by HALOCK Security Labs, a security firm based in Illinois.
This past summer, the University of Wisconsin reported 100,000 cyber-attacks from Chinese IP address every day. In August, the Kentucky Department of Education’s Infinite Campus network was hit with a denial-of-service attack (DDoS).
Embry-Riddle had its own security concerns when the university decided it wanted to track employee access to sensitive data.
Not only did the school lack a system-wide way of doing this, the distance between individual campuses made enforcing security policies a virtual nightmare. Embry-Riddle has residential campuses in Prescott, Ariz., and Daytona Beach, Fla. — as well as more than 130 smaller locations in four different countries, including the Middle East.
The university was able to use a suite of security products by Oracle Identity Management to create a way of automating giving and revoking acess privileges to 60,000 accounts. Bixler said security efforts have to go further than just software, however.
“Security is every employee’s job, staff and faculty,” she said. “We focus on educating staff and faculty on their role in keeping the data they have access to secure. This is a continuous education effort as the security landscape changes.”
A major part of that changing landscape is the proliferation of mobile devices on campus. At Cornell University’s Weill medical College, for example, the office of academic computing transfers files between internal researchers and external researchers using smartphones and tablets.
While using mobile devices makes transferring data easier and more convenient, it also leaves the information more open to cyber attacks, Bixler said. Finding a safe compromise is key.
“It is a balancing act,” she said.
Al-Khabaz, who fought his expulsion but was never able return to school, said the ease of which he was able to “fiddle around” in one of the most widely-used university computer systems in North America points to serious security concerns that still need to be addressed on some college campuses.
“These systems are truly not always very well-protected,” Hamed said.
Follow Jake New on Twitter at @eCN_Jake.