Another college, another data breach!
This week the University of Delaware sent out letters and emails after its system was allegedly hacked, affecting the sensitive personal information on 72,000 past and present employees. The personal data that was compromised includes names, addresses, Social Security numbers, and university ID numbers.
Last month officials at the University of South Carolina sent letters to 6,300 students, explaining that their sensitive personal information, including Social Security numbers, could have been accessed after a laptop was stolen from the physics department. This was the seventh data breach in seven years for the university.
In June, Champlain College alerted 14,217 students possibly affected by a misplaced hard drive containing their names, Social Security numbers, and other information provided to the college’s admissions and financial aid offices. Officials at the Vermont college say the information was mostly from students who applied for traditional undergraduate admission from Fall 2010 through February 2013, though the identities of some graduate and continuing professional studies students may also be compromised.
Private WiFi has covered numerous data breaches at colleges, so the point is now overwhelmingly clear: every day there’s seemingly another story about breaches on college campuses. But why is this happening?
Why don’t schools and universities take the necessary steps to safeguard sensitive information? Universities in general have limited budgets for information security, and therefore struggle to comply with the numerous laws and regulations regarding the data in their custody.
HALOCK Security Labs found that this back-to-school season may be an ideal time for data thieves to steal the personal and financial information of students and parents. The cybersecurity firm says over 50% of the colleges and universities investigated allow for the transmission of sensitive information over unencrypted (and therefore unprotected) email as an option without directly promoting it and 25% of the institutions investigated advised applicants to send personal information, including W2’s, via unencrypted email to admissions and financial aid offices.
The company — which surveyed 162 institutions in the United States, including Big 10, Big 8, Ivy League, community colleges, and technical institutes — found 41 schools that encouraged scanning and emailing unencrypted documents.
HALOCK suggests multiple issues may be overwhelming to these institutions:
- Typical university cultures promote open access to information
- Transient and inexperienced student workers
- Limited security and compliance budgets
- Complicated and bureaucratic procurement processes
- Student hackers who target the very university that is educating them
- Immature risk management
- Information technology changes are limited to seasonal university breaks
- Difficulty in educating the Board of Trustees on security risks
Combine these factors with millions of private records (Social Security numbers, tax records, health records, banking information, etc.) and high-worth intellectual property (research, patents, etc.) and you’ve got a rich target for hackers.