Mon 7 May 2007
Breach at University of Western Florida: Are academic institutions sitting ducks?
Posted by Slavik under breach, insider threat, privacy, security, universities
[4] Comments
While it’s not headline news yet (and may never achieve such lofty status), a recent database breach at UWF was exposed and later reported in local news. What exactly happened and how many records were compromised is, as usual in such cases, unknown.
This made me think: We hear of breaches at universities all too frequently. Privacy Rights Clearinghouse, a website that documents data breaches, lists over 140 breaches in universities since January 2005. That’s more than one per week on average. Ouch.
Why is that?
The crucial factor here is that universities have very large populations of “insiders”. Students are like employees: They are authorized users. They have logins and passwords. They are also young and rebellious, and many are tech savvy – e.g., computer science students, to state the painfully obvious. Some are “hackers”, looking to prove they can hack, or influenced by some anarchist/Marxist/New Age book they browsed in the library, and others may be more traditionally motivated by money, criminal intent or a deep desire to change their grades…
This is also a transient population, and very hard to control. Every 3-4 years the population changes almost completely. Unlike employees, they do not stay long enough to develop any kind of loyalty, plus of course the don’t get paid – quite to the contrary, they’re the ones paying.
What about the data itself? Naturally grades are very important to students, but they are of little value to anyone else. Other student data is a lot more interesting, including Social Security numbers, bank account details and other personally identifiable information – the bread and butter of identity thieves. At least gone are the days when SSNs were used as student numbers – although many of those still lurk in alumni databases around the US, which highlights another point: Although the population is transient, the data is not. It stays. A large-ish university will have hundreds of thousands of former student records. Quite the honeypot.
Universities mostly lack the IT resources that Fortune 500 companies have, but the challenge they face in securing their data is no less daunting. I think that one simple, non-technical solution would be not to collect unnecessary data in the first place, and if it must be collected for current students, dispose of it once the student graduates. As an alumnus, why would I possibly need my alma mater to retain my Social Security number?
Technically there are many things the universities can do, but I don’t want to already sound tedious on my second post (hint: If you don’t monitor database activity, you won’t know if the DB was breached, when, how, by whom and how badly – but enough of the hard sell)
4 Responses to “ Breach at University of Western Florida: Are academic institutions sitting ducks? ”
Trackbacks & Pingbacks:
-
[…] a month ago I posted about breaches at educational institutions, and suggested that they rectifying the problem could start by simply not hoarding PII (personally […]
Hi Slavik,
Great post. I am the IT manager of a small university in the Midwest, facing exactly the same problems. I also have a good friend serving as the IT Security officer in our local college. I discussed this issue with him over dinner after reading your post. No doubt – you hit the nail on the head!
Howdy Slavik,
I just heard an update on this story on WEAR-TV 3 news in Pensacola – the student who discovered this breach will be expelled. This segment appeared on the news, but is not listed on the tv website, nor anywhere else. Have you heard anything?
Brandi,
That’s news to me. Obviously if he was expelled because he was the whistle blower that’s very unfortunate. However without knowing the facts it may well be that he’s being expelled for some other reason.