Data breaches slam campuses this summer

More than 19,000 students and faculty had their information compromised at Florida International University this summer.
About 19,000 Florida International University students and faculty had their information compromised this summer.

It’s been a tough summer for college IT officials charged with defending campus servers from hackers who target databases brimming with students’ and faculty’s personal information.

At least three universities—the University of Maine, Penn State University, and Florida International University—reported data breaches in June that compromised Social Security numbers, academic and financial records, and other information for about 40,000 students and faculty across the three institutions.

These universities and others that have scrambled to alert faculty and students of data crimes in recent years are not alone, according to research from the Identity Theft Resource Center, a San Diego-based nonprofit organization.

The number of reported data breaches in schools and colleges increased from 111 in 2007 to 131 in 2008, according to a 2009 report released by the center. Data-security crimes jumped by 47 percent overall between 2007 and 2008, according to the research.

The University of Maine announced June 29 that officials were investigating a data breach that started when two campus servers containing the university’s “student databases” had been compromised by hackers. The breach potentially exposed the personal information of 4,585 people who used the university’s counseling center services between August 2002 and June, according to the school’s announcement.

“This is an insidious crime, all too common in our society in general and universities in particular,” University of Maine President Robert A. Kennedy said in a statement. He added that the school would “take this matter seriously, and we are aggressively pursuing the criminal investigation while working diligently to provide identity theft protection services to those who may have been affected.”

The university launched a web site late last month dedicated to keeping Maine students and faculty apprised of updates on the security breach.

The site says that students and faculty affected by the data breach would receive “at least 12 months of identity protection at no cost” through a company called Debix Identity Protection Network. “Those services include credit monitoring, alerts regarding credit changes, and identity theft insurance,” according to the university’s site.

Florida International University joined the ranks of compromised campuses when officials said more than 19,000 students and faculty had their information exposed on an “unsecure database” identified in May. The school announced June 22 that the information “is now secure.”

The database, according to the university, was used “in connection” with the College of Education students’ eFolio software application, which captures information such as test scores, grades, and other “data elements.” Personal information for 88 faculty members also was exposed in the data breach, according to Florida International.

Penn State University sent letters to 15,806 people whose personal information—including Social Security numbers—was exposed when a computer in the campus’s Outreach Market Research and Data office was compromised by a “bot.” A group of bots, or “botnet,” as they’re known, is a network of compromised computers controlled by malicious software programs that exploit web browser vulnerabilities and a host of other security holes in a personal computer.

Penn State said in an announcement June 2 that the compromised computer “had at one time contained a database of Social Security numbers for official use by the university. The database was removed when Penn State stopped using [Social Security numbers] in 2005, but an archived copy remained undetected in the computer’s cache.”

The latest botnet attack at Penn State wasn’t the university’s first experience with malware. Penn State announced in December that bots had exposed information for about 30,000 students when computers across the campus were compromised.

Internet security experts say campus IT officials should stop using students’ Social Security numbers as identifications, because about 5,900 known botnets have stolen valuable information from computers in many sectors, including higher education.

Shadowserver, an organization that tracks botnet incidents in governments, education, and the private sector, unveiled the running tally of botnets days before security firm Symantec released a report March 2 showing a 5.5 percent hike in spam eMail last month, spurred mostly by botnets.

Spam now accounts for 90 percent of all eMail sent within the U.S., Symantec said.

Peyton Engel, a technical architect for CDW-G, said colleges and universities find it easy to identify students by their Social Security numbers, but as botnets and viruses become more dangerous and difficult to detect, campus IT staff should assign students random numbers generated by an algorithm.

It’s not a solution to stopping botnet attacks, Engel said, but if hackers find student ID numbers that don’t correspond to Social Security numbers, damage can be mitigated.

“They haven’t found how to prevent the incident,” he said. “But they just made it so that it’s not as damaging [if a botnet attacks].”

Sign up for our newsletter

Newsletter: Innovations in K12 Education
By submitting your information, you agree to our Terms & Conditions and Privacy Policy.

Sign up for our newsletter

Newsletter: Innovations in K12 Education
By submitting your information, you agree to our Terms & Conditions and Privacy Policy.