Indiana University is alerting 146,000 students and recent graduates that their names, addresses, and social security numbers may have been exposed in a recent data security breach.
The data was accidentally stored in an insecure location for 11 months, but was only downloaded by three automated webcrawling programs, rather than by a targeted attack, so “the chance of sensitive data falling into the wrong hands … is remote,” said James Kennedy, a university associate vice president, in a statement.
But these and other recent breaches at universities “underscore the fact that there needs to be enforceable data security standards,” says Khaliah Barnes, director of the student privacy project at the Electronic Privacy Information Center in Washington. While the privacy of student information is protected under federal law, she says, specific practices for data security are largely left up to universities and the technology sector.
When states started requiring public disclosure of data breaches about a decade ago, higher education institutions were “the miscreants” – with huge numbers of breaches, says Fred Cate, director of Indiana University’s Center for Applied Cybersecurity in Bloomington.
Fortunately many of the problems were along the lines of lost laptops, rather than cyber-attacks by criminals, he says, and in recent years, as universities have caught up with prevention practices, they’ve brought the number of breaches down significantly. Now, fewer people are affected in all of higher education than are affected by a single major commercial breach such as the recent compromise of credit cards at Target, he says.
Since the beginning of 2013, 47 data breaches have occurred in the education sector, including K-12 and higher ed, according to a database maintained by the Privacy Rights Clearinghouse in California. Since 2005, 718 such breaches have been recorded.
Despite improvements, higher education must continue its vigilance, Professor Cate says, because criminals are now starting to catch on to how much sensitive information universities store on everyone from students and staff to patients at university hospitals.
Earlier this month, for instance, 309,000 individuals’ records – including social security numbers, birthdays, and university ID numbers – were exposed by a sophisticated cyberattack on the University of Maryland. The US Secret Service has joined the investigation to determine how multiple layers of security were compromised. The university has offered five years of free credit protection services to everyone affected, and has launched a task force to improve its cyber-security.
“Every day, there are thousands of probes of our defenses that we spot and thwart,” said Wallace Loh, president of the University of Maryland, in a statement Tuesday. “There is an arms race between hackers playing offense and universities playing defense. In 2012, we doubled our IT security staff and doubled our annual investments in cyber-security. We will continue to make the necessary investments.”
Keeping up with cyber-threats is “wildly expensive,” Cate says. “Not only is there a technology arms race, but also a training and awareness arms race,” since security is only as good as the training of the people who have to execute the necessary steps. Universities are environments with less of a command-and-control structure than most businesses, and it’s challenging to enforce the most up-to-date policies throughout various academic departments, Cate says.
Indiana has set up a call center for people potentially affected by the breach. The fact that the Indiana data was not likely accessed by someone with ulterior motives is probably little comfort for students, Ms. Barnes says. “Students don’t particularly care how their information was breached,” she says. “Eleven months is a long time to have your social security number exposed.”
Security was one issue addressed this week when the US Department of Education issued guidance to schools and universities on student data privacy. The guidance clarifies standards for information gathered by third parties, such as technology vendors, that interact with schools. The ever-broadening potential uses of student data, for everything from marketing to federal tracking of the effectiveness of education policies, continues to concern privacy advocates.
Barnes recommends that universities publish the types of information they collect about students, where such information is hosted, and how students can amend it. “That can start a dialogue,” she says, with students weighing in if they believe a particular vendor doesn’t have a good enough reputation for security and privacy protection.