Two or three years ago, if a laptop computer was stolen on a college campus, the only concern was how to replace an expensive item. Today, the first concern is "What sensitive data might have been stolen?"
Lost laptops can give thieves access to information such as Social Security numbers, credit-card numbers, or passwords. Young students or college employees may not be savvy about protecting such data. Beyond identity thieves, colleges and universities are also threatened by hackers who can turn school computers into "zombies" to send out spam e-mails or target Web servers with denial-of-service attacks.
As students arrive on campuses, colleges and universities are becoming more aware that personal information about faculty, staff, students, and donors must be protected.
More than 50 million people, many of them college students, have had private data exposed to possible theft since February, according to the Privacy Rights Clearinghouse (PRC) in San Diego. That's when ChoicePoint Inc., a company that stores consumers' financial records, revealed that thieves had accessed information on some 145,000 people. The announcement began a round of similar revelations and sparked interest in the security of commercial, government, and other databases.
In the last seven months, more than 30 US colleges and universities have reported computer security breaches, including data theft and hacking, according to PRC. Among them: Boston College, Northwestern, Carnegie Mellon, Purdue, and Stanford.
Campuses across the country are reassessing their risks to see what new security steps they should take, as well as making sure that existing data privacy policies are being followed, says Rodney Petersen, a security expert at EDUCAUSE in Washington, D.C., a nonprofit association that promotes the use of computers in higher education.
Information technology often isn't controlled "with an iron hand" on campuses, says Gary Kessler, who teaches a program on information security at Champlain College in Burlington, Vt. College networks, he says, "tend to be open because there's a feeling in academia that we want everybody to use stuff."
That tradition of academic freedom, he says, can create vulnerabilities, such as a professor setting up a Web server for a class without giving thought to securing the computer or even alerting the college's information technology department to its existence.
Dartmouth College in Hanover, N.H., has one of the most highly networked campuses in the United States. Computer access is available nearly anywhere, inside or outside the buildings, via a wireless Wi-Fi connection. That has encouraged widespread use of computers by students. Professors also use the network in a variety of ways, such as giving out assignments, delivering course materials, administering tests, and posting grades.
Though students aren't required to connect to the college network via Wi-Fi, they nearly all do, says Robert Brentrup, associate director of technical services at Dartmouth.
If not properly protected, Wi-Fi networks can be easily hacked. Colleges that had allowed open access to their Wi-Fi connections are now requiring users to identify themselves as part of the college community in order to gain access, Mr. Petersen says.
To protect its Wi-Fi system, Dartmouth employs an encryption system called WEP2 (Wireless Equivalent Privacy) and is looking to enhance that with further encryption techniques, Mr. Brentrup says. But in keeping with its educational mission, the college also plans to offer various levels of wireless access. "The more we know about you, the more access you'll have," he says. Guest users at the library, for example, would be able to only browse the Web and access online library materials.
As much as the college tries to educate students about data privacy, it also tries to educate the staff on security practices, such as turning off programs when they're not in use. In addition, Dartmouth has put its human resources department, where sensitive records are kept, "on a private subnet," which "keeps the traffic encrypted all the time," he says.
For more than a decade, the Ivy League college has required students to bring a computer with them. Like many other campuses, Dartmouth sells computers to its students. This year, about 700 of 1,000 new students bought their computers through the college, which in turn makes sure each is equipped with virus, spyware, firewall, and other security protections.
In general, campuses do a very good job protecting the financial information of students, says Jack Suess, vice president of information technology at the University of Maryland Baltimore County (UMBC). But a computer in a department that contains admission or alumni records, might prove vulnerable to hackers. UMBC will have 11,000 to 12,000 computers on campus this fall, he says, but "there's probably only 200 or 250 I'm really worried about." Colleges are trying to identify computers that have sensitive data on them and then "take extra precautions with those machines," he says.
Some universities are doing cutting-edge research on computer networks and uncovering new security threats that only later may be seen in private industry, Mr. Suess says. "We're sort of the proving ground."
Meanwhile, Champlain College is adding an information security major to its curriculum this fall, which will prepare students for careers in protecting computer networks. Unlike some other jobs in the high-tech industry, these sensitive positions are unlikely to be "outsourced" to workers in other countries, Mr. Kessler says. "Sadly, the job market is going to be excellent" for information security majors, he says.