Experts Say Universities Susceptible to Data Breaches

In early June, when a Cornell employee’s computer contained the names and social security numbers of more than 45,000 students and staff members, it was the school’s third data breach in the past four years.
In June 2008, someone hacked into an administrative computer that contained the personal information of 2,500 students. And in 2005, a similar incident affected more than 900 individuals.
The information that universities ask their students to supply can often cost many their personal security if such information falls into the wrong hands.
“Universities are particularly susceptible to data breaches because of their decentralized structure,” said Beth Givens, director of the Privacy Rights Clearinghouse. “Lots of people — faculty, some staff, computer center operators, human resources department, the registrar’s office, etc. — have access to the Social Security numbers of students and others. There is no one central control function.”
Cornell is not alone. Stanford, UC Berkeley and Ohio University are among the many universities that have also experienced mass data theft.
“Cornell is undertaking an institution-wide data inventory initiative and conducting a full review to further improve our policies and practices regarding the security of our confidential data,” said Simeon Moss ’73, director of Cornell University Press Relations.
Moss further differentiated last week’s incident from the previous occurrences, which “involved malicious electronic data breaches,” and added, “Improving policies to further protect against those types of incidents is also part of the full review, which began even before the theft of the computer.”
After experiencing a similar incident last December, UCLA officials decided that the best way to deal with the situation was not to have students’ Social Security numbers online in the first place.
“The faster we move on that, the better off we will be,” said Jim Davis, UCLA’s Chief Information Officer.
Universities have already learned to use social security numbers more cautiously.
“Some colleges used to use social security numbers as ID numbers many years ago,” said Jack F. Dowling, head of JD Security Consultants. “They would even post test results outside their offices by SSN.”
Last week’s devastating incident comes as a further reminder that computers are vulnerable. One in every 10 laptops is stolen, according to the FBI’s National Crime Information Center. Because most students bring laptops to college, university campuses provide thieves with especially easy targets. At MIT, for instance, 70 to 80 laptops are stolen per year.
Consequently, physical security plays just as important a role in preventing data theft as electronic methods such as file encryption. MIT’s Information Systems Security Office recommends several devices to protect laptops. These include the Caveo card, which has a motion detector that sounds an alarm when the computer is removed from a user-specified area, and the STOP tag, which when removed leaves a mark on the laptop that makes it unprofitable to resell.
In addition to potentially creating a bureaucratic nightmare for the students whose identities may be stolen, identity theft can be costly to universities as well. Simon Hunt, who writes for the McAfee Security Insights blog, calculated that most recent incident at Cornell will cost the University between $18,000 and $30,000.
With all the panic about identity theft that abounded on Cornell students’ Twitter and Facebook statuses last week, experts say it is important to remember that so far, no one’s identity has actually been stolen.
What is done with the information is “based on the motivation of the individual who took the computer,” Dowling pointed out. The personal data “could be used to set up a fake identity, or it could be that maybe the computer was stolen because someone just wanted to sell a computer.”
Givens also reminded students that they are not yet victims of fraud. But she cautioned that in order to prevent becoming victims, they should take the steps the University has recommended.
“Just because a laptop was stolen containing SSNs, it does not mean that these people will become victims of identity theft,” she said. “However, the affected individuals need to take steps to protect themselves. They should put fraud alerts on their 3 credit reports. And for the next couple of years, they should check their credit reports on a regular basis, looking for the tell-tale signs of fraud.”