Universities Flunk Security as Data Breaches Jolt Education

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govtech.com/education/Universities-Flunk-Security-as-Data-Breaches-Jolt-Education.html

A week after someone breached a database at the University of Maryland,
President Wallace D. Loh announced that university and law enforcement
officials were investigating how a hacker gained access to names,
addresses, Social Security numbers and other data going back to 1998.

The more than 300,000 students, faculty and staff affected will receive
no-cost credit protection services, and the university is launching a "top
to bottom" investigation of all computing and information services to
include:

- Scanning of every university database to find where sensitive personal
information is located, so it may be purged or protected.
- Penetration testing of the university's security to identify and seal any
vulnerabilities.
- The university will also review centralized vs. decentralized systems to
coordinate security and safeguards.

"Universities are a focus in today's global assaults on IT systems," said
Loh in an announcement. "We recently doubled the number of our IT security
engineers and analysts. We also doubled our investment in top-end security
tools. Obviously, we need to do more and better."

Employees of the University of Northern Iowa (UNI) might agree with Loh's
assessment of universities as targets. When attempting to file tax returns,
some discovered that their Social Security numbers had already been used by
other tax filers. While UNI has yet to find evidence of compromised
databases, the University of Maryland's experience prompted UNI to call in
law enforcement and the IRS, provide credit monitoring and take other steps.

Indiana University also just joined the ranks of security dropouts,
announcing Feb. 25 that names, addresses and Social Security numbers of
nearly 150,000 students and recent graduates may have been exposed during a
data breach. The data was reportedly stored in an unsecured location for
nearly a year.

Legislative bodies are taking note of the increased collection of student
digital data, and in Kansas, for example, the Legislature is moving to
ensure better privacy for student information. Hackers, however, don't
often follow the law, and so strong policy must be matched by equally
strong IT security practices.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!