In 2015, many college and universities suffered substantial data breaches. In each case outlined below, universities lost personally-identifiable information (PII) on thousands of individuals, from their student bodies to faculty and beyond. In addition to the theft of PII, higher education institutions can be the target of large-scale, sophisticated attacks designed to steal trade secrets and intellectual property. The commercial sector is heavily connected to the leading research in science and technology that stems from colleges and universities. Thus, the security posture of higher education institutions is of great importance on a national level.
In May, Penn State announced that a breach compromised servers containing information on roughly 18,000 people. During the investigation that followed, an intrusion on their network was found dating back to 2012. While it is very difficult for universities to fully regulate all of their IP space, the fact that an intrusion may have lasted three years without remediation is troubling. Incident response times are crucial to avoiding significant data loss. Many of the biggest data breaches result from networks being compromised for a significant amount of time. According to the 2015 Verizon DBIR, just half of the organizations observed discovered malware events within 35 days.
Last July, the University of Connecticut announced that servers for their school of Engineering had been accessed by actors in China. The school said that user credentials for roughly 1,800 may have been compromised. Yet, they did not confirm whether any data (or intellectual property) was stolen directly from their servers. In its announcement, the school said the initial penetration of its servers occurred in September 2013.
In September, a data breach at Cal State exposed the information of nearly 80,000 students who had been enrolled in an online course. The breach occurred via a third party software provider named “We End Violence” that provided the online course. Third parties are an increasingly common threat vector for organizations in all industries. Colleges and universities often work with a great deal of vendors, suppliers, and partners - signaling that third party risk is inherent to this industry as well.
At many higher education institutions, vendor risk management does not incorporate IT security teams. Going forward, IT teams at universities will need to collaborate during the procurement and onboarding process of vendors and suppliers in order to mitigate third party risk. Moreover, security and risk teams will need to continuously monitor the security performance of third parties.
Auburn University announced last April that the social security numbers for over 360,000 people stored on a server were inadvertently made available online. The server was publicly accessible from September 2014 until March 2015 according to the school. What's also troubling is much of the information stored on the server was for applicants, prospective students, and other groups of people who were not part of its student body or faculty.
Challenges In Higher Education
Colleges and universities face specific challenges and obstacles that are not present in other industries. With small security teams and limited budgets, these organizations are tasked with securing large networks. Furthermore, higher-ed institutions often are presented with a seasonal threat landscape- security incidents rise during the months that students are on campus.
To learn more about these challenges, and how security teams can use cloud security and risk tools like BitSight Security Ratings to mitigate cyber risk and improve their security posture, tune into next week’s webinar.
Students and faculty from the University of Central Florida have filed a class action lawsuit alleging that the university failed to notify affected individuals of data loss resulting from a cyber attack in a timely manner. On February...
In 2015, many college and universities suffered substantial data breaches. In each case outlined below, universities lost personally-identifiable information (PII) on thousands of individuals, from their student bodies to faculty and...