A university is perhaps a place one would overlook when considering targets of data breaches. After all, colleges deal in knowledge, not big money. What would the appeal be to hackers?
And yet as a series of recent security attacks on major educational institutions have shown, universities are susceptible to breaches. While they may not lay claim to the vast riches of a major retailer like Target – whose data breach earlier this year left 40 million customers’ credit card information exposed – colleges have something that is nearly as valuable: Trust with the people they serve. And it is exactly this trust that cybercriminals sought to undermine when they broke into databases for colleges spanning the country, from Maryland to Indiana, according to Tech Page One. The security breaches discussed here suggest that colleges lack the endpoint security management solutions necessary keep information safe in a world rife with cybercrime.
Indiana University faces troubling disclosure
Many universities maintain databases of personnel both past and present, and Indiana University is no exception. Within its internal infrastructure is a dataset containing personal information – including names and Social Security numbers – for 145,966 students who went to the university between 2011 and 2014. This type of information is stored with colleges all the time, and usually students have no reason to worry about their personal data being safe. But that changed on Feb. 25, when the university put out a release warning of a breach on that data set.
The timing of the breach came at an unfortunate juncture: Less than two months before, several retailers including Target and Neiman Marcus were attacked, leading to stolen credit card information for more than 40 million customers, according to the LA Times. For a nation wary of security intrusions and their potentially devastating privacy impact, to hear about one happening at Indiana University was doubtless discomforting. But the university did as much as it could to assuage general concern.
“Unlike recent high-profile data breaches … no servers or systems were compromised,” the university said.
Indeed, as a later release by the university pointed out, despite the fact that a database containing Social Security numbers was hacked, none of those numbers were actually taken. That is because the culprits behind the attack were not identity-swiping cybercriminals but instead automated webcrawlers. Therefore, despite the fact that the breach happened, the university did not receive any reports about fraudulent activity stemming from the incident. Considering the breach could have been significantly worse, the university is not taking any chances.
“We have moved quickly to secure the data and are conducting a thorough investigation into our information handling process to ensure that this doesn’t happen again,” the university’s associate vice president for financial aid James Kennedy said.
But Indiana is not the only school dealing with the fallout of a breach. Check back for part 2 to read about how security attacks are a pervasive threat for educational institutions.