February 27, 2014
Some 146,000 students and recent graduates of Indiana University may have had their personal information exposed in a database breach that was recently discovered.
In a press release, the university announced that personal data, including names, addresses and Social Security numbers for students and recent graduates who attended any of the seven IU campuses from 2011 to 2014 were potentially exposed. The data had been accessed by three webcrawlers that are used to improve web search capabilities.
The security breach was found when a university staff member accessed the files. The site was immediately locked, and the sensitive information was moved to a secure location the next day. It had been discovered, however, that the students' data had been in the insecure location since March 2013, when security protections for the host site accidentally allowed access without the necessary authentication.
IU assured students that their personal information had not been downloaded by an unauthorized individual and that no servers or systems had been compromised. Still, the university said it was taking the necessary steps to minimize any potential impact and to safeguard against future breaches. The university has notified the Indiana attorney general's office and also plans to give the names and Social Security numbers of those potentially affected to the three major credit-reporting agencies for credit monitoring. A website and call center have also been set up to help answer questions and provide additional information.
"This is not a case of a targeted attempt to obtain data for illegal purposes, and we believe the chance of sensitive data falling into the wrong hands as a result of this situation is remote," said James Kennedy, associate vice president for financial aid and university student services and systems, in the press release. "At the same time, we have moved quickly to secure the data and are conducting a thorough investigation into our information handling process to ensure that this doesn't happen again."
While the IU incident may not have been a malicious act, The Christian Science Monitor noted that it still highlights the fact that higher education needs to be more vigilant when it comes to protecting sensitive student information. Khaliah Barnes, director of the student privacy project at the Electronic Privacy Information Center in Washington, explained that student information is protected under federal law, but pointed out that data security is often up to individual universities. Fred Cate, director of Indiana University's Center for Applied Cybersecurity, told The Christian Science Monitor that technology and training to combat cyber threats is expensive, and universities often have less structure to safeguard against attacks than most businesses.
That can be problematic. As The Christian Science Monitor pointed out, hackers are now targeting university databases because of the wealth of sensitive information they store. Additionally, noted The New York Times, students often have pristine credit and do not monitor their activity the way older adults do.
According to The New York Times, the University of Maryland recently doubled its security engineers and analysts, as well as its investment in security tools, but still became a victim of a sophisticated cyberattack last week. In this case, hackers breached a university database and accessed the names, Social Security numbers, birth dates and university identification numbers of more than 300,000 faculty, staff, students and personnel with a university ID since 1998. In 2012, dozens of other universities had also been victims of cyberattacks.
"Universities are a focus in today's global assaults on I.T. systems," said Wallace D. Loh, president of the University of Maryland, in a statement quoted by The New York Times. "Obviously, we need to do more and better, and we will."
Compiled by Heidi M. Agustin
"Data breach at Indiana University: Are colleges being targeted?," csmonitor.com, February 26, 2014, Stacy Teicher Khadaroo, http://www.csmonitor.com/USA/Education/2014/0226/Data-breach-at-Indiana-University-Are-colleges-being-targeted
"Indiana University reports potential data exposure," news.iu.edu, February 25, 2014, http://news.iu.edu/releases/iu/2014/02/data-exposure-disclosure.shtml
"University of Maryland Computer Breach Exposes Records of Students and Staff," bits.blogs.nytimes.com, February 19, 2014, Nicole Perlroth, http://bits.blogs.nytimes.com/2014/02/19/university-of-maryland-computer-breach-exposes-records-of-students-and-staff/