Universities have long been a favorite target for hackers bent on pilfering private data for identity theft and exploitation. Since 2005, when breaches at universities began being recorded, an average of 1,268,394 records have been exposed in the US per year. Numbers have been declining, however. In 2011, a reported 478,490 records were breached.
To complicate matters, higher education has a reputation for employing looser data security protocols in general, making them susceptible to accidental data loss and exposure. The breadth and volume of personal data collected by universities, coupled with high turnover and a generally technically un-savvy population, makes the problem of data loss at institutions nearly epidemic in nature.
How is data breached?
Deliberate attacks on systems and individuals who have access to sensitive data can cause more harm than inadvertent exposure. One in four of all data breaches reported by colleges and universities are a result of theft. Former employees, inside people who have a grudge against an organization, or criminals looking to make money from the sale of the data will look for data stored on laptops, hard drives, and thumb drives. Insiders are the number one cause of data breaches, while hackers (criminals attempting to gain access through the Internet) rank a bit lower, according to one study by the Ponemon Institute.
Inadvertent exposure due to the loss of media is another way data is exposed. Backup tapes or paper files being misplaced on their way to a storage facility, or laptops left behind at airports or in taxis, are common ways data can end up in the hands of unauthorized people.
When old computers or hard drives are sold or recycled, the information contained on them might be deleted, but if not properly erased, that data can be retrieved by anyone with just a few cheap tools. Additionally, leaving data on media that is not adequately protected with a strong password or with encryption leaves it vulnerable to a hacker or thief. The same applies to sensitive paper files, which should be disposed of using a cross-cut shredder or a recycling/trash pickup service that ensures proper disposal.
Collecting, storing, sending, encrypting, finding and removing data may all have implications for its safety. Those who are handling sensitive data, may find they are doing one or more of these activities. If proper safety precautions are not taken, inadvertent data exposure could be the result. For example, breaches of sensitive data stored in folders accessible through the Internet, such as through file sharing software, has occurred more than once at universities.