Campus Security | News

Security Researchers Compile Data Breach 'Champions'

• By Dian Schaffhauser
• 04/04/11

Tonight's game decides this year's winner of the NCAA Men's Division Basketball Championship--either the University of Connecticut or Butler University. By now, if you've been playing your own set of brackets, you've probably torn up the printout. According to a Yahoo bracket contest, out of 3 million entries, only a single individual has so far come up with the "final four" selection that matches with reality, which also included the University of Kentucky (bested by U Conn 56 to 55) and Virginia Commonwealth University (beat by Butler 70 to 62).

During breaks in games, distracted database security researchers at Application Security have put together their own bracket competition, this one focused on higher ed data breaches. 2010's winner: Ohio State University with a potential exposure of 750,000 names.

"Higher Education Data Breach Madness" pulls together records for reported college and university breaches yearly and declares an annual final four. In 2010 Ohio State was joined by Valdosta State University in Georgia with 170,000 potential records exposed; University of North Florida with 107,000 records; and Buena Vista University in Iowa with 93,000 records.

According to TeamShatter, AppSec's research arm, this year has seen 14 reported breaches covering 81,835 records. The leader to date: University of South Carolina, which may have exposed 31,000 records because of a computer security problem hitting eight university systems maintaining data on faculty, staff, retirees, and students.

TeamShatter Director of Research, Alex Rothacker, believes the campus environment is ripe for data breaches. "When an attacker gets access to university databases, it's like hitting the jackpot," he said. "Databases at colleges and universities store a wealth of personally identifiable information. This information includes names, addresses, financial information, credit card numbers, Social Security numbers, and healthcare records of employees, students, parents, and alumni. With major colleges enrolling tens of thousands of students a year, along with the large amount of employees involved with running an institution, a university or college could be housing potentially millions of records containing [personal data]."

He added that the amount and type of data isn't the only issue with higher education. "These institutions are often open environments with high turnover. They often recruit from the student body and provide limited supervision or training. Because of the wealth of information that universities store, they are instantly stamped with a bulls eye and a target on the critical data they house."

Editor's note: This article has been modified since its original publication to correct a factual error. It was the University of South Carolina that "may have exposed 31,000 records because of a computer security problem," not, as previously reported, the University of Southern California. [Last updated April 4, 2011 at 2:30 p.m.] --David Nagel