Schools fight series of data breaches

The threat of data breaches at colleges and universities is becoming more pronounced, as was illustrated Wednesday when Johns Hopkins University announced that tapes containing personal information on 135,000 employees and hospital patients were lost.

Educational institutions accounted for over 50 of the more than 300 major data breaches in 2006, according to the Privacy Rights Clearinghouse, exposing Social Security numbers, bank account information and other sensitive personal data. Whether or not the actual rate of attacks is rising continues to be debated by computer security experts, but most agreed that universities, like most large organizations, are not improving their training, policies and technology fast enough. While Yale has not had a significant breach since 2002, administrators said they remain concerned about the threat.

Johns Hopkins became the latest casualty last month, when officials realized that the university was missing nine backup computer tapes containing sensitive information on 52,000 employees and 83,000 patients. The tapes are thought to have been destroyed accidentally, and the university released a statement saying it is unlikely they were stolen.

It is difficult to know if the apparent increase in reported breaches is due to more attacks or more publicity surrounding them, said Rodney Petersen, coordinator of the computer and network security task force at Educause, a group that examines technology use in higher education. He said he suspects institutions are simply becoming better at detecting attacks.

Randy Marchany, director of the IT security laboratory at Virginia Tech University, offered a slightly different theory. There may be a slight increase in the number of actual attacks, he said, but the major factor is more institutions reporting the breaches they find.

Universities may be at more risk of losing sensitive data even if hackers are not increasingly targeting their systems. David Farber, a computer science professor at Carnegie Mellon University, said universities are combining their data collections into larger and more vulnerable systems.

“There’s been more and more of a centralization of data handling at universities,” he said. “There’s a lot more information, a lot more complexity to the systems below it, and complex systems most of the time are somewhat easier to penetrate.”

Philip Long, Yale’s chief information officer, said breaches for identity theft have supplanted the earlier breed of hackers that broke into systems just to show they could.

Not only are systems becoming more connected, but more data are being stored in them, Long said. Yale’s primary strategy for reducing the risk of losing private information is to keep less of it, he said. While many universities use Social Security numbers as student identification numbers, Yale created the University Personal Identifier and has been transitioning to it as a replacement for Social Security numbers on campus. But even with these efforts to limit the amount of personal information collected, Long said, the University is probably storing more data than it has in the past.

Yale has only occasionally had incidents of localized events and individual accounts compromised since 2002, Long said. In July 2002, admissions officials at Princeton University admitted that they had broken into a Yale Web site used to notify applicants of admissions decisions that April. They used Social Security numbers of high school students who had applied to both universities to log in to the site, in some cases learning an applicant’s admissions decision before the student did.

Physical, technical and administrative security measures all need to be in place to have more secure data storage, Long said. These efforts range from making sure computers that store data are properly locked up to ensuring that only certain staff members have access to sensitive information.

Marchany said the top priority for information security is increasing awareness, both by telling general staff members how to keep their data secure and by making sure information technology staff are properly trained in how to detect and respond to attacks and lost data.

According to data provided to Marchany by the California Office of Privacy Protection, nearly half of all data losses at universities reported to the office in 2005 were due to compromised servers, while losses at non-educational institutions were primarily due to lost laptops — only 11 percent of their breaches came from compromised systems. Marchany said the difference is most likely due to better staff training at universities so employees know not to leave unencrypted sensitive information on their laptops.

Farber said universities need to create chief information security officer positions. Yale’s own information security officer, Morrow Long, was traveling this week and could not be reached for comment. Petersen said Morrow Long, who is part of the Educause task force, is recognized as a national expert on information security.

Comments