A Quarter of Higher Ed Transmits Unencrypted Student Data

Should colleges and universities be insisting on the use of encryption for the transmission of sensitive information among its student applicants? That's what one security firm is recommending after doing an informal audit of 162 American institutions, including schools that are part of the Big 10, the Big 8, the Ivy League, community colleges, and technical institutes. Halock Security Labs reported that 41 of the institutions sampled "encouraged scanning and emailing unencrypted documents."

According to the company, unencrypted data transmissions between applicants and the admissions or financial aid office can place the personal information of students and parents at risk. Encryption calls for the use of special software that scrambles data, converting it to a format that can only be read by somebody with a unique key. Princeton University, for example, has a policy of requiring that all "eligible" faculty and staff laptops have software installed to do automatic encryption.

"When universities utilize unencrypted email as a method for submitting W2s and other sensitive documents, the information and attachments are transmitted as cleartext over the Internet. This format is susceptible to hackers and criminals who can use this private information for identity theft," said Partner Terry Kurzynski.

Figuring out whether a Web page supports encryption is a simple process. If the URL begins with "https://" and the user's browser shows a closed lock, the site is using encryption between the browser and its server. If the Web page begins with "http://" and the browser shows an open lock, nothing done through that page is encrypted.

Many public and private institutions use The Common Application, a secure service that handles first-year and transfer applications.

Halock spokespeople declined to provide the names of schools it had found that failed to encrypt admission or financial aid information. However, a quick search uncovered one multi-campus institute of technology and an Iowa community college that provided admissions forms that weren't encrypted. The former accepted name and contact information; the latter also asked for a Social Security number, birth date, and a number of other personal details.

The topic of encryption is gaining more attention as the number of cyber-attacks on campuses appears to be increasing. Recently, for example, Stanford University acknowledged that it had been investigating a data breach in its IT infrastructure and requested that all users on the network change their passwords.

According to an article this week in The New York Times, research universities especially are facing "millions of hacking attempts weekly." Many of the attacks are coming from China, according to the reporting. And higher education is a target, suggested the article, because of the value of the research taking place in those environments.

At the same time, colleges and universities are suffering just a fraction of the breaches faced by government, military, and private sector organizations, according to a new visualizer that examined worldwide breaches over the last nine years.

To counter the problem of unsecure data falling into the wrong hands, Halock suggested that families of applicants "insist" on an electronic transport mechanism that is encrypted or deliver documents in person or through fax or certified mail. The company also encouraged colleges and universities to do a better job of encouraging applicants not to use public contact email addresses to send private information.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • person signing a bill at a desk with a faint glow around the document. A tablet and laptop are subtly visible in the background, with soft colors and minimal digital elements

    California Governor Signs AI Content Safeguards into Law

    California Governor Gavin Newsom has officially signed off on a series of landmark artificial intelligence bills, signaling the state’s latest efforts to regulate the burgeoning technology, particularly in response to the misuse of sexually explicit deepfakes. The legislation is aimed at mitigating the risks posed by AI-generated content, as concerns grow over the technology's potential to manipulate images, videos, and voices in ways that could cause significant harm.

  • close-up illustration of a hand signing a legislative document

    California Passes AI Safety Legislation, Awaits Governor's Signature

    California lawmakers have overwhelmingly approved a bill that would impose new restrictions on AI technologies, potentially setting a national precedent for regulating the rapidly evolving field. The legislation, known as S.B. 1047, now heads to Governor Gavin Newsom's desk. He has until the end of September to decide whether to sign it into law.

  • illustration of a VPN network with interconnected nodes and lines forming a minimalist network structure

    Report: Increasing Number of Vulnerabilities in OpenVPN

    OpenVPN, a popular open source virtual private network (VPN) system integrated into millions of routers, firmware, PCs, mobile devices and other smart devices, is leaving users open to a growing list of threats, according to a new report from Microsoft.

  • interconnected cubes and circles arranged in a grid-like structure

    Hugging Face Gradio 5 Offers AI-Powered App Creation and Enhanced Security

    Hugging Face has released version 5 of its Gradio open source platform for building machine learning (ML) applications. The update introduces a suite of features focused on expanding access to AI, including a novel AI-powered app creation tool, enhanced web development capabilities, and bolstered security measures.