UCLA still has the worst campus data breach ever recorded.

March Madness has yet to tip off, and Virginia Commonwealth University (VCU) has already won a championship. This run through the NCAA Tournament brackets, however, won’t end with campus celebrations, especially in VCU’s IT department.

VCU, a 32,000-student campus in Richmond, Va., that came up one game short of the 2011 NCAA Tournament championship game in its improbable path to the Final Four last spring took home a less glamorous prize March 12, when the university was named the winner of the 2012 Higher Education Data Breach Madness tournament.

Application Security, a database security company based in New York, released a bracket filled with colleges and universities that reported the worst database breaches from the previous year. All 48 higher-education data incidents were mentioned in the bracket, and 16 schools were given bye-rounds.

Read more about IT security in higher education…

‘Socialbots’ pose IT security threat on campus

Yale Social Security numbers exposed in latest case of ‘Google hacking’

VCU breezed through Application Security’s Data Breach Madness tournament thanks to a November data security breach that led to the exposure of more than 176,000 student and employee records. VCU was the 21st campus to report a data breach involving more than 100,000 records since data incidents were first recorded in 2005.

The 10 files on a VCU campus server that was hacked last fall included dates of birth, contact information, names, online identification numbers, Social Security numbers, and various programmatic and departmental information, according to a VCU announcement.

In a statement, the university said an investigation into the data breach was “unable to determine with 100 percent certainty that the intruders did not access or copy the files in question,” but the likelihood that student and employee information was accessed “is very low.”

Mark Willis, VCU’s chief information officer, answered frequently asked students questions in a 12-minute video response posted to the school’s website shortly after the database breach was made public.

Willis said hackers had found their way into the campus’s computer infrastructure, established a few files on a server, and used it “as a platform to scan for other vulnerable machines on the internet” and launch botnets that search for “infected or vulnerable” machines across the web.

The Data Breach Madness Final Four included VCU, the University of Wisconsin Milwaukee (UWM), Yale University, and the University of South Carolina (USC).

Alex Rothacker, director of research for Application Security, said colleges and universities will always be a target for hackers in large part because many campuses don’t have a centralized IT operation with one spelled-out database security policy.


Add your opinion to the discussion.