• United States



by Jaikumar Vijayan, Computerworld (US online)

Oklahoma State Breach Points to Higher-ed Security Problems

May 16, 20085 mins
Access ControlCybercrimeData Breach

A seemingly neverending string of data breaches at various colleges around the U.S. highlights precisely why university systems and networks continue to have a reputation for being notoriously insecure.

A seemingly neverending string of data breaches at various colleges around the U.S. highlights precisely why university systems and networks continue to have a reputation for being notoriously insecure.

The latest academic institution to disclose a data compromise was Oklahoma State University (OSU), which Wednesday began notifying about 70,000 individuals that their names, addresses, Social Security numbers and other personal data may have been compromised.

The warning followed the discovery in late March of an intrusion into a server belonging to the university’s parking and transit services department, according to OSU spokesman Gary Shutt. The server contained information on people who had purchased parking permits from the university dating back to July 2002, according to an advisory posted on OSU’s Web site.

Shutt said that the intrusion appears to have been carried out by a hacker in Germany who was looking for a server on which to host movies, TV shows, songs and pornographic content. Thus far, there is no evidence that the attack was perpetrated for the purposes of stealing the data stored on the server. “It appears that the person who came in was just looking for server space,” Shutt said. “But because we couldn’t be 100% sure, we went ahead and started sending notices.”

According to Shutt, the university was alerted to the intrusion after another organization complained that its servers were being probed by the compromised system at OSU. On Wednesday, the university sent out e-mail notices to about 40,000 individuals for whom it had working addresses. The school is sending notices to another 26,000 people via postal mail, Shutt said, adding that it doesn’t have contact information for the rest of the people whose data was stored on the server.

The OSU breach is one of eight data compromises at colleges and universities to be listed thus far this month on a Web site called Educational Security Incidents. Since January, a total of 86 data breaches have been reported at educational institutions, according to the ESI site. Most of the incidents involve U.S. schools, although a handful were reported by universities in other countries.

The breaches that have recently come to light at universities include the following:

  • Earlier this month, Dominican University disclosed that two student employees had used their passwords to improperly access an Excel file that contained the records of 5,215 students. The file was stored “in an unsecure location,” according to an advisory posted on Dominican’s Web site.
  • Late last month, Southern Connecticut State University notified 11,000 current and former students that their names, addresses and Social Security numbers may have been accessed by intruders who were using the school’s Web server to host an illicit site, allegedly as part of a spamming operation.
  • In March, Antioch University in Yellow Springs, Ohio, disclosed that unknown cybercrooks had broken into its main ERP server on multiple occasions last year and stolen the personal data of about 60,000 individuals.
  • That same month, Lasell College in Newton, Mass., disclosed that one of its employees had illegally accessed a database containing the Social Security numbers and other personal data of about 20,000 people.
  • The personal information of about 10,000 graduate students at Harvard University was exposed by a server intrusion that was discovered in February and publicly disclosed the following month.
  • Such incidents show that many of the security issues plaguing university IT networks are still a long way from being addressed, said Charlie Moran, principal at Moran Technology Consulting, a Naperville, Ill.-based firm that does IT consulting work within the education market.

    The continuing security problems don’t result from a lack of effort, according to Moran. “Nobody is saying, ‘Let’s be stupid and leave ourselves wide open,'” he said. “It has to do with the [academic] culture.”

    The highly decentralized nature of educational IT environments, and their relatively open data-access policies, continue to pose data security challenges, agreed Ted Julian, vice president of marketing at Application Security Inc., a New York-based vendor of database monitoring tools. The openness “fosters a highly collaborative environment,” Julian said. But, he added, it makes university networks hard to secure.

    Some IT departments are trying to exercise a level of centralized control over the technology assets at their schools, but many remain far from achieving that goal, Moran said. He added that while security threats have become much more complex, the IT operations at most universities — especially at state-run schools — are understaffed and can barely keep up with information security needs.

    Not all the news is bad, though. For instance, many universities have stopped using Social Security numbers as personal identifiers. One example is OSU, according to Shutt. Moran said that other schools have made considerable progress in securing potential intrusion channels, such as their student-residence networks and remote access setups.

    There also appears to be a growing acknowledgment within colleges and universities of the need to do something about IT security. A survey of 589 university representatives conducted late last year by Educause, a nonprofit group promoting the use of IT in higher education, identified data security as the top priority for IT organizations this year. It’s the fifth straight year that security has been one of the top three priorities, a fact that the report attributed to concerns about data breaches and the need to meet security compliance requirements.