College and University Data Security Breaches

By Charlie Wood, CISA

Trust is the foundation of any good relationship and has never been more evident or vital than the relationships between colleges and universities and their students, faculty, and especially their donors.  Without the confidence that their personal information is protected, donors will be less likely to donate to these organizations.  Additionally, with the financial community facing the worst economic crisis in decades, it is also imperative that organizations seek new ways to cut costs, retain donors, and improve business processes.  Securing an organization’s network environment can be a challenge, especially given the sensitive and highly valuable information collected and maintained by these organizations.

The number of reported data breaches has increased every year since 2007.  According to a report released by the Identity Theft Resource Center, data security crimes have increased over 47% since 2007. 

These breaches were pervasive across all academic organizations, large and small.  Data breaches typically encompassed the loss of records, which contained names, addresses, dates of birth, credit card information, and Social Security Numbers (SSNs).  The causes of these breaches range from individuals hacking into an organization’s network, to disgruntled former employees attempting to steal key student data, to current employees misplacing or losing laptops and USB devices.  Regardless of the means by which the data is lost or stolen, ultimately the people most affected are the unsuspecting students, faculty, and donors. 

In June 2010 alone, multiple college breaches occurred, including the following:

• Penn State University – Nearly 26,000 SSNs were exposed as a result of two separate breaches within the Library and Marketing Research departments.
• University of Maine – A data breach of student databases exposed potentially 4,585 people that utilized the University’s counseling center.
• Florida International University – Nearly 20,000 student and faculty records were housed on unsecure University servers and potentially lost / stolen.
• Florida Community Colleges – Nearly 126,000 Florida students at the following colleges had their records inadvertently exposed during a routine Information Technology upgrade:

o Broward College
o Florida State at Jacksonville
o Northwest Florida State College
o Pensacola State College
o South Florida Community College
o Tallahassee Community College

These organizations understand the hefty cost associated with reporting a breach — loss of reputation, decrease in student and donor confidence, and lack of trust — which will ultimately negatively impact their bottom line.

Common Attacks You Should Understand 

There are a myriad of attacks that are carried out on a daily basis.  Common attacks include the following:

• SQL Injection – Many web pages leverage SQL commands to look through database information.  Since many SQL systems have un-patched vulnerabilities, the attacker leverages these weaknesses to inject a command that can extract valuable customer data.
• Advanced Persistent Threat (APT) – These attacks are highly successful and rarely detected by normal security measures like antivirus and intrusion detection software.  They are highly technical and highly successful and typically leverage both the latest technology and social engineering techniques against the organization’s employees in order to breach the network.
• Phishing – These attacks are typically performed by hackers who attempt to gain access to critical information by misleading people into believing that they are from legitimate enterprises, when in fact they are not.  A typical phishing attack would be an email from what appears to be a financial institution, asking for passwords, SSNs, dates of birth, and account and credit card information.
• Distributed Denial of Service Attack (DdoS) – These attacks are typically an effort to make computer resources (i.e., websites) unavailable to their intended users.  Oftentimes, an attack consists of saturating the target website with so many external communication requests that the site can no longer respond to legitimate traffic, rendering the site effectively unavailable.
• Key Stroke Loggers – These attacks are the result of malicious software downloads that are used to capture and then transmit to an external entity any information that is typed on a keyboard, such as passwords and other sensitive data.

If you have never heard of the attacks listed above, then it is time you learn about them.  These attacks are becoming more frequent and, in most cases, more sophisticated and difficult to detect.

Protect what you collect

In an effort to address and ultimately decrease the risk of data loss, multiple Federal and State agencies have put in place laws, regulations, and standards including the following:

• HIPAA (Penalty: prison time & civil lawsuits)
• Gramm-Leach Bliley Act (Penalty: prison time & civil lawsuits)
• TEACH Act (Penalty: fines & civil lawsuits)
• FERPA (Penalty: fines & civil lawsuits)
• Massachusetts Privacy Law (Penalty: fines and civil lawsuits)
• International Privacy Law (Penalty: significant fines)
• Payment Card Industry Compliance (Penalty: fines potentially in the range of millions of dollars)

The regulations, by design, give organizations some flexibility to design and implement security-based controls that are appropriate given the nature, size, and complexity of the organization.  So why do so many organizations fail to adhere to the rules and regulations?  There are a number of reasons:

1. Cost – Budget constraints due to economic factors impact both monetary and human capital investments.  Many organizations do not have the time or money to implement programs that would ultimately protect sensitive data.
2. Moving Target – In addition to the federal regulations, many states have adopted their own more stringent rules and regulations.  These rules and regulations change on a regular basis and, in some cases, without a great deal of notoriety.
3. Volume of Data – Records not only contain student, faculty, and donor data, but also include information regarding dependents, beneficiaries, and current and past employees.  Accounting for and restricting access to all personal information can be difficult, especially in complex operational environments.

Cost

In addition to the reputational loss associated with a breach, a 2009 CSI Computer Crime and Security Survey noted a number of costs associated with the loss of data.  One of the most intriguing statistics was the average cost associated with a single breach and the theft of personally identifiable or personal health information, through all causes other than mobile device theft, including data loss, totaled $710,000.   

Can You Afford NOT to be protected? 

As threats intensify and regulations increase, it is imperative that strong security controls are in place to ensure that digital transactions and communications are secure, that compliance with laws and regulations is achieved, and that customer trust and company reputation remain intact.

The increased frequency of attacks, in conjunction with the cost associated with rectifying the situation, can be alarming.  In order to mitigate the risk associated with a potential attack, which could lead to a loss of data, every organization should consider performing the following:

• Organization-wide risk assessment
• IT security reviews
• Penetration testing
• Review of malware protection
• Vulnerability assessment
• Data sensitivity reviews
• Business impact analysis

Each of the concerns documented above should be taken into consideration when planning and securing key customer data.  In order to mitigate the risk associated with the loss of consumer data, college and universities should implement strong security controls.  These controls will comfort the students, faculty, and donors and continue to build and maintain trust.  Greater trust and confidence can decrease student turnover and increase enrollment, staff retention, and donor contributions, resulting in increased revenue for the organization. 

About the Author:  Charlie Wood, CISA, is a Manager in Bonadio’s Enterprise Risk Management team.  With more than a decade of IT industry experience, Charlie’s focus is on security vulnerabilities, internal and external auditing, controls optimization and compliance, and project management.