Security | News

A Quarter of Higher Ed Transmits Unencrypted Student Data

• By Dian Schaffhauser
• 07/30/13

Should colleges and universities be insisting on the use of encryption for the transmission of sensitive information among its student applicants? That's what one security firm is recommending after doing an informal audit of 162 American institutions, including schools that are part of the Big 10, the Big 8, the Ivy League, community colleges, and technical institutes. Halock Security Labs reported that 41 of the institutions sampled "encouraged scanning and emailing unencrypted documents."

According to the company, unencrypted data transmissions between applicants and the admissions or financial aid office can place the personal information of students and parents at risk. Encryption calls for the use of special software that scrambles data, converting it to a format that can only be read by somebody with a unique key. Princeton University, for example, has a policy of requiring that all "eligible" faculty and staff laptops have software installed to do automatic encryption.

"When universities utilize unencrypted email as a method for submitting W2s and other sensitive documents, the information and attachments are transmitted as cleartext over the Internet. This format is susceptible to hackers and criminals who can use this private information for identity theft," said Partner Terry Kurzynski.

Figuring out whether a Web page supports encryption is a simple process. If the URL begins with "https://" and the user's browser shows a closed lock, the site is using encryption between the browser and its server. If the Web page begins with "http://" and the browser shows an open lock, nothing done through that page is encrypted.

Many public and private institutions use The Common Application, a secure service that handles first-year and transfer applications.

Halock spokespeople declined to provide the names of schools it had found that failed to encrypt admission or financial aid information. However, a quick search uncovered one multi-campus institute of technology and an Iowa community college that provided admissions forms that weren't encrypted. The former accepted name and contact information; the latter also asked for a Social Security number, birth date, and a number of other personal details.

The topic of encryption is gaining more attention as the number of cyber-attacks on campuses appears to be increasing. Recently, for example, Stanford University acknowledged that it had been investigating a data breach in its IT infrastructure and requested that all users on the network change their passwords.

According to an article this week in The New York Times, research universities especially are facing "millions of hacking attempts weekly." Many of the attacks are coming from China, according to the reporting. And higher education is a target, suggested the article, because of the value of the research taking place in those environments.

At the same time, colleges and universities are suffering just a fraction of the breaches faced by government, military, and private sector organizations, according to a new visualizer that examined worldwide breaches over the last nine years.

To counter the problem of unsecure data falling into the wrong hands, Halock suggested that families of applicants "insist" on an electronic transport mechanism that is encrypted or deliver documents in person or through fax or certified mail. The company also encouraged colleges and universities to do a better job of encouraging applicants not to use public contact email addresses to send private information.