Logo Header - Meakem Becker Venture Capital

Students, faculty and others at risk of having their information compromised within university/college networks.

October 12, 2012

By Wendy Bowman-Littler

(Laguna Beach, CA) - West Coast author Kim Greenblatt remembers his brush with a security breach at a major university well. After requesting a copy of his college transcripts through the website of a Midwestern university, he was surprised to find the transcripts that arrived at his home were someone else’s. He notified the registrar at the California campus and had his correct records delivered directly to him, but he never received an answer about where—if anywhere—his first set of transcripts might have been sent.

“I felt surprised, scared and angry,” says Greenblatt, who was worried that his name, address and social security number might have ended up in the wrong hands. “The process was done somewhat automatically and incorrectly. The fact that the person from the university couldn’t confirm if anything else was wrong was just wrong. I drove my wife nuts for a while worrying about it, and perhaps I overreacted, but it just freaked me out.”

The unintended disclosure of sensitive information—whether posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail—is just one type of education-related data breach prevalent within university networks today.

Because university networks offer a plethora of data, they make a great intentional target for thieves, says Will Marling, executive director of the Virginia-based National Organization for Victims Assistance (NOVA), which provides victim and witness assistance programs for practitioners, criminal justice agencies, professionals, former victims and survivors.

“Students, faculty, staff, alumni, vendors and government agencies all are at risk of having their information compromised,” Marling says. “This provides an opportunity for commission of crimes like theft of finances and medical care, fraudulent loans and a host of other violations.”

A 2011 report conducted by Pleasonton, Calif.-based Javelin Strategy & Research shows that of the 250,000-plus individuals who were victims of identity theft in 2010, 24 percent of those were between the ages of 20 to 29. Another 8 percent were 19 years old or younger, meaning college-aged students account for as much as one-quarter of all identity theft victims.

This could be due to their high profiles online, but also because universities are notorious for data breaches, Marling says. “I would suggest that part of the issue is that academic institutions are aggregates for a lot of personal data—not only of the current faculty, staff and student body, but also alumni—all of which is maintained and valuable.

“Hence, hackers like the potential rewards from a data breach, and because of so many who have legitimate access to such networks, that expands the potential points of compromise,” he adds.

According to the San Diego-based consumer information and consumer advocacy nonprofit Privacy Rights Clearinghouse, 66 data breaches for educational institutions in the U.S. were publicly reported through the end of August 2012, compared with 63 for all of 2011. Among the most prevalent listed on the organization’s 2012 “Chronology of Data Breaches” report include hacking or malware; skimming devices; intentional breaches by employees or contractors; and lost portable devices.

Many high-profile cases of educational data breaches have been reported in the news recently, including an incident at the University of South Carolina, which notified 34,000 people in August that their personal information might have been accessed from a compromised web server that exposed the names, addresses and social security numbers of students, staff and researchers at the College of Education dating back to 2005. In March, the University of Tampa found out that a temporary text file containing the identification and social security numbers, names and birth dates of more than 6,000 students enrolled for the fall 2011 semester was publicly exposed likely for more than six months. Meanwhile, the University of Rhode Island’s College of Business Administration revealed in August that the personal information of more than 1,000 faculty and students, as well as students from another school, was made publicly available on a computer server.

One of the most recent cases announced involved a major breach of confidential records at Northwest Florida State College in Niceville, Fla., that occurred from late May through late September of this year. According to a statement released by the university, hackers broke into its computer systems and stole 200,000 records—including names, social security numbers, birthdates, ethnicity and gender—for more than 3,000 employees and almost 300,000 students, including 200,000 students statewide who were eligible for Florida’s Bright Futures scholarships for the 2005-06 and 2006-07 school years.

Read the rest of the article here.