Data breaches challenge university data security

Universities are fighting data breaches and security threats by upgrading IT

Recent massive data breaches and sophisticated phishing attempts threaten universities’ cybersecurity. Credit: Maksim Kabakou

Recent massive data breaches and sophisticated phishing attempts threaten universities’ cybersecurity. Credit: Ben Clark

After two large data breaches at universities in Maryland and Indiana and increased phishing attempts at colleges across the country, schools are offering assurances that they are trying to safeguard the personal information of students, faculty and staff.

“There is an arms race between hackers playing offense and universities playing defense,” University of Maryland President Wallace D. Loh said in a statement sent out to the community, noting that the school thwarts thousands of potential cyberattacks daily.

The school suffered a data breach last month that left at risk personal information — including social security numbers and birth dates — of more than 309,000 faculty, staff and students issued university IDs since 1998. The U.S. Secret Service is investigating and a university-wide review is underway of all computing and information systems at Maryland, Loh said. The university has also offered a free five-year membership in Experian’s credit protection services to all affected.

“We are not alone. In the past couple of years, some 20 large universities across the country have also reported major data breaches,” Loh said.

Security breaches nationwide

A database maintained by the Privacy Rights Clearinghouse lists 718 data breaches in the education sector, including K-12, since 2005. Recorded breaches range from lost laptops with sensitive information to targeted cyberattacks.

At Indiana University last month, data involving approximately 146,000 students and recent graduates was compromised when it was accessed by three automated computer data mining applications, known as webcrawlers.

Because it was not intentionally targeted, the university said there was “no evidence the files have been viewed or used for inappropriate or illegal purposes.” The data was accidentally stored in an insecure location, which has since been secured, the school said.

The Maryland attack appeared to be more targeted. Loh called it a “sophisticated cyberattack.”  He said the university doubled its IT security staff in 2012 but would “continue to make the necessary investments” to secure systems at the school.

Additionally, Maryland will offer identity theft seminars to educate students, staff and faculty about protecting their own information, he said.

IT security experts maintain that phishing attacks at schools nationwide point to the need for individuals to be on alert for cybersecurity threats. Unlike wholesale data breaches, individual users have to click on a link or respond to a bogus email for their information to be compromised.

Phishing attempts lure students and staff

Colleges and universities have been sporadically targeted for phishing over the past several years. The latest outbreak seems to have spread across the country over the past couple months with schools from Florida to Washington State warning students and staff to be careful.

The bogus emails look like they come from the schools — the hackers often swipe official logos — and ask users for passwords, social security numbers and other information. At the University of Illinois at Urbana-Champaign, users were asked to verify their email address by clicking on a link to a server in Russia, according to the school.

At Rutgers University in New Jersey, those targeted were asked for banking information in an attempt to reroute direct deposit payments, said Donald Smith, vice president for information and technology.

The emails often convey a sense of urgency and use terms and phrases such as “validate,”  “verify” or “update your account,” according to Smith.

He said Rutgers would never request login/password information via email for any reason and that users should not click on the links.

The University of Missouri Kansas City cautioned students that universities and never ask for personal account information via email and that such messages should be closed and deleted.

Patricia Alex
Patricia Alex has worked as a reporter and editor in New Jersey for many years and writes about higher education for one of the state's largest newspapers, The Record.
Patricia Alex
Tags: Education,Industries