WASHINGTON – The recent data breach at the University of Maryland is only one of hundreds at educational institutions across the country over the past few years.
The Identity Theft Resource Center, a non-profit based in California, said there were more than 50 data breaches in the educational sector just last year involving names plus Social Security numbers, driver’s license numbers, medical records, or a financial record or credit card information. Those included occurrences at K-12 schools, colleges and universities.
The breach of more than 300,000 University of Maryland staff, student and graduate records is one of at least two disclosed this month involving Social Security numbers stolen from a large university. At Indiana University, the Social Security numbers and other personal data of 146,000 students and graduates may have been breached.
And this week, the University of Northern Iowa began investigating a possible data breach after some employees reported being the victims of tax fraud.
“Universities tend to have a more open information technology architecture,” said Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse. “You have various parties operating within the system — you’ve got students, you have teachers, you have faculty, you have administration staff, and so on.”
Stephens emphasized that the long retention periods for student records is problematic at many schools.
“If you don’t have a real need for someone’s (Social Security) number it should be purged. There shouldn’t be a reason the university should retain the information of past, graduated students,” Stephens said.
University of Maryland President Wallace Loh said Friday that the school kept old Social Security numbers because they were once used as university identification numbers.
“The problem is that people want to come back and, 10 years later, 20 years later, ask for their transcript,” Loh said, in an interview outside a Senate hearing room in Annapolis. “They want information. So that’s why you need the Social Security numbers. Now, one could argue, and that’s what we’re looking into now, is there any way of identifying people without Social Security numbers? Because there were no university ID’s back then. Now, we can do that, but you know, the costs are, as I say, very large. But we will look into that, to do the protection.”
In a February 25 letter to the university community, Loh said the school suffered from a “sophisticated cyber-attack” that is being investigated by the Secret Service and other law enforcement agencies. He also said he ordered a comprehensive review of the University’s computing and information systems.
Data breaches tracked by groups like the Identity Theft Resource Center include the work of hackers, the theft of laptops and even the accidental exposure of information. In some cases, the data is accessed by outside parties, but in others it is not.
Last year’s incidents included an August breach at Virginia Tech University, where a server containing information about more than 144,000 job applicants was illegally accessed. The database did not contain Social Security numbers, but more than 16,000 applicants had listed their driver’s license numbers.
In July, the University of Delaware’s computer systems were compromised and Social Security numbers and other information for more than 74,000 students, employees and past employees may have been taken.
Other institutions affected by potential or actual data breaches last year included the Maricopa County Community College District in Arizona, Montana State University and the University of North Carolina at Chapel Hill.
Terry Kurzynski, a senior partner at the cybersecurity firm Halock Security Labs, agrees that the open culture universities tend to encourage for better information flow is a main reason they remain vulnerable to hackers.
A study conducted by Halock in July reported that of 162 institutions investigated, including Big Ten, Ivy League, community colleges and technical institutes, more than 50 percent allow for the transmission of sensitive information over unencrypted, unprotected email, putting private student and parent data at greater risk.
Kurzynski also cites the employment of inexperienced, transient or student workers in college information technology departments, and budget constraints as key weaknesses in many universities’ security systems.
Analysts at the Identity Theft Resource Center say data breaches at educational institutions actually saw a slight decline in the last year.
“Breaches in that area are definitely a threat,” said Karen Barney of the Identity Theft Resource Center, which tracks data breaches around the country and how they occur. “But 2013 had the lowest number of incidents in the educational sector since we began tracking them in 2005.”
In the University of Maryland’s case, Social Security numbers, birthdays and university identification numbers were lifted. This is common for hackers who target schools.
Data breaches affect “Ivy League universities to community colleges to technical schools,” Kurzynski said.
“Smaller community colleges are more at risk. They have a lesser capacity to store well and a lot of students,” Kurzynski said. “Smaller colleges have more instances of breaches…but bigger colleges tend to get more detrimentally hit.”
Capital News Service reporters Mike Denison and Antonio Franquiz contributed to this report.