Data breach at Indiana University: Are colleges being targeted?

While information on 146,000 students and graduates may have been exposed, Indiana U. says, the data breach was not a targeted attack. But cyber-criminals may just be catching on to colleges as targets.

|
Darron Cummings/AP/File
Shumpei Ushio of Japan speaks to a group of students gathered for the Cultural Coffee Hour that was hosted by the Japanese Student Association on the campus of Indiana University in Bloomington, Ind., Nov. 9, 2012. The University is alerting 146,000 students and recent graduates that their personal information may have been exposed in a recent data security breach.

Indiana University is alerting 146,000 students and recent graduates that their names, addresses, and social security numbers may have been exposed in a recent data security breach.

The data was accidentally stored in an insecure location for 11 months, but was only downloaded by three automated webcrawling programs, rather than by a targeted attack, so “the chance of sensitive data falling into the wrong hands … is remote,” said James Kennedy, a university associate vice president, in a statement.

But these and other recent breaches at universities “underscore the fact that there needs to be enforceable data security standards,” says Khaliah Barnes, director of the student privacy project at the Electronic Privacy Information Center in Washington. While the privacy of student information is protected under federal law, she says, specific practices for data security are largely left up to universities and the technology sector.

When states started requiring public disclosure of data breaches about a decade ago, higher education institutions were “the miscreants” – with huge numbers of breaches, says Fred Cate, director of Indiana University’s Center for Applied Cybersecurity in Bloomington.

Fortunately many of the problems were along the lines of lost laptops, rather than cyber-attacks by criminals, he says, and in recent years, as universities have caught up with prevention practices, they’ve brought the number of breaches down significantly. Now, fewer people are affected in all of higher education than are affected by a single major commercial breach such as the recent compromise of credit cards at Target, he says.

Since the beginning of 2013, 47 data breaches have occurred in the education sector, including K-12 and higher ed, according to a database maintained by the Privacy Rights Clearinghouse in California. Since 2005, 718 such breaches have been recorded.

Despite improvements, higher education must continue its vigilance, Professor Cate says, because criminals are now starting to catch on to how much sensitive information universities store on everyone from students and staff to patients at university hospitals.

Earlier this month, for instance, 309,000 individuals’ records – including social security numbers, birthdays, and university ID numbers – were exposed by a sophisticated cyberattack on the University of Maryland. The US Secret Service has joined the investigation to determine how multiple layers of security were compromised. The university has offered five years of free credit protection services to everyone affected, and has launched a task force to improve its cyber-security.

“Every day, there are thousands of probes of our defenses that we spot and thwart,” said Wallace Loh, president of the University of Maryland, in a statement Tuesday. “There is an arms race between hackers playing offense and universities playing defense. In 2012, we doubled our IT security staff and doubled our annual investments in cyber-security. We will continue to make the necessary investments.”

Keeping up with cyber-threats is “wildly expensive,” Cate says. “Not only is there a technology arms race, but also a training and awareness arms race,” since security is only as good as the training of the people who have to execute the necessary steps. Universities are environments with less of a command-and-control structure than most businesses, and it’s challenging to enforce the most up-to-date policies throughout various academic departments, Cate says.

Indiana has set up a call center for people potentially affected by the breach. The fact that the Indiana data was not likely accessed by someone with ulterior motives is probably little comfort for students, Ms. Barnes says. “Students don’t particularly care how their information was breached,” she says. “Eleven months is a long time to have your social security number exposed.”

Security was one issue addressed this week when the US Department of Education issued guidance to schools and universities on student data privacy. The guidance clarifies standards for information gathered by third parties, such as technology vendors, that interact with schools. The ever-broadening potential uses of student data, for everything from marketing to federal tracking of the effectiveness of education policies, continues to concern privacy advocates.

Barnes recommends that universities publish the types of information they collect about students, where such information is hosted, and how students can amend it. “That can start a dialogue,” she says, with students weighing in if they believe a particular vendor doesn’t have a good enough reputation for security and privacy protection.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Data breach at Indiana University: Are colleges being targeted?
Read this article in
https://www.csmonitor.com/USA/Education/2014/0226/Data-breach-at-Indiana-University-Are-colleges-being-targeted
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe