Computer hackers reportedly have stolen identifying information and credit card numbers from more than half a million — some 600,000 — college students, faculty, and alumni this year. This is prompting some campus IT officials to call for a “total overhaul” of computer security protocol.
Identity Theft 911, an Arizona-based company founded by consumer advocates and experts from the financial industry and law enforcement, released a report this month, called “America’s Universities: A Hacker’s Dream,” which documents some of the largest recent computer security breaches on college campuses and discusses solutions for IT decision makers and students.
Twenty-seven American colleges and universities saw personal records stolen in the first seven months of 2009, and the report concludes that a “sprawling profusion” of disparate computer networks and servers–each with a different security policy–makes IT departments “powerless to enforce any standards,” meaning student grades, credit information, and Security Social numbers remain vulnerable.
Challenge of decentralization
Adam Levin, chairman and cofounder of Identity Theft 911, said colleges’ decentralized IT systems combined with an open network are “a recipe for the disaster we’ve experienced.” Thousands of students connected to online social networks and file-sharing web sites endanger the entire IT infrastructure, Levin said.
“When you’re downloading Madonna, you could also be downloading” malware that could spread throughout a campus IT network, he said.
Campus IT officials said school networks often are vulnerable because thousands of students and faculty access the networks every day using their laptops or other personal mobile devices.
“Many of those we don’t own, we don’t have any management responsibility for them, and yet they do introduce problems we have to deal with,” said Robert Ono, the director of technology security for the University of California at Davis. Ono said 35,000 computers connect to the campus’s network every day.
Gaps in campus security policy could be filled, according to the report, by building a “unified, high-security firewall” that would protect electronic records in every department. Faculty members and alumni could choose to be included in the campus-wide firewall or be locked out, according to the report.
Centralizing campus computer networks would require categorization of personal information. In this scenario, data would be separated according to their level of sensitivity, the report says, adding that no one outside the university’s financial aid department would need to know a student’s Social Security number.
Action usually requires a crisis
How quickly this cumbersome process unfolds hinges on the severity of a security breach.
“The fast route usually starts with a serious breach, creating the political will necessary to get serious about security,” the report says. Notre Dame University spent $4.6 million on security consultants and updated its network hardware after a 2006 hack exposed sensitive information about faculty and donors.
“The fact that we were responding to a crisis,” said David Seidl, Notre Dame’s director of information security, “proved to be enormously helpful in getting support.”
Identity Theft 911’s report includes a list of the largest security breaches in higher education this decade. The University of Miami’s 2008 breach, in which 2.1 million records were stolen, remains at the top of the list, and the University of California, Berkeley’s 180,000 stolen records is the only security incident from 2009 on the top-10 list.