Why Are Universities Hacked?

The Los Angeles Times reports that information concerning 80,000 students across eight Cal State campuses who took a mandatory online course on sexual harassment, which was provided by an outside vendor, was allegedly hacked. According to the report:

Information such as passwords used to log into the class, as well as sign-in names, campus-issued email addresses, gender, race, relationship status and sexual identity were exposed.

Personally identifying information such as Social Security, credit card and driver's license numbers was not compromised…[.]

Cal State is not alone in being a major university targeted by hackers. Not even close. Earlier this summer I started keeping track of universities that had been victims of cyberattack and/or experienced data breaches. According to my unofficial, very preliminary (and still in progress) accounting based on press reports, over 40 colleges and universities have suffered breaches of confidential information in the past three years. The true number is likely much, much higher. The data stolen, and in some cases publicly exposed, includes information belonging to students, faculty, employees and even applicants.

The Cal State case highlights risks faced by academic institutions and nearly any other large organization that relies on vendors to provide services.

A few other recent examples demonstrate the variety and breadth of exposure that universities face:

• Penn State has been the victim of multiple sophisticated cyberattacks. According to a May 2015 message from the university president that describes two attacks directed at its School of Engineering, Penn State was first notified by the FBI, and press reports attribute the attacks to China. The university’s College of Liberal Arts has also been targeted. The clean-up efforts involved disruption to campus technology services.
• Harvard has also experienced “an intrusion” on its systems, although attribution and the details of whether personal information has been exposed are unclear. Harvard was also one of many schools that were targeted by hacktivist group Team Ghostshell in 2012, which released student and employee data.
• Auburn experienced a particularly unusual data breach, apparently a result of a technical problem, not a malicious hack. Auburn had purchased the standardized test scores of high school students for marketing and outreach purposes. Personal information regarding those individuals – over 360,000 - was inadvertently publicly exposed on the university’s website.

So why are universities targeted or otherwise at risk for inadvertent data breaches? I think there are at least a few reasons:

One, universities collect and retain a lot of data about a lot of people: personally identifying information such as social security numbers, addresses, and email addresses. Student information also includes education information that is protected by federal statute. For employees, perhaps additional financial information such as retirement account numbers and bank account numbers. Perhaps student and employee health information. And for universities that operate medical and hospital systems, all of the accompanying personal health information that goes with that territory and is subject to a heightened regulatory environment.

Universities also do research. Some of that research may be U.S. government-funded. It may even be classified. Some of it may be scientific, cutting-edge, or otherwise interesting to foreign nations from an economic, intellectual property or international relations perspective.

Two, their information technology infrastructure and leadership structure may be university-centered, lessening the accountability for leaders and managers in the individual colleges, campuses or schools. If a school’s information technology system is controlled by and managed at the university level, then the individual information management and school leadership is likely to have both less visibility, as well as less responsibility for the protection of information for their particular student, faculty, employee and applicant information. Because of their decentralized leadership structure, as well as, in many academic environments, a tradition that includes governance by committees, I believe that universities face particular challenges in taking charge of evaluating their cybersecurity exposure and plans.

Three, universities are extremely budget conscious. Higher education is pinched by continually expanding costs and the need to control tuition. Universities at the higher end of academic standards for admission compete for qualified students, including students who can afford tuition that is out of reach of many students and families. Spending money on outside consulting, legal and technical support to put in place appropriate detection systems and meaningful incident response plans is often not a priority. There is likely a perception that not many young adults are really going to decide where to go to college based on the quality of a school’s information technology security and privacy practices.

Then again, maybe that's not so outrageous a suggestion after all. It goes without saying that today’s college and graduate students are sophisticated users of technology. And while perhaps they may not make a decision to enroll based on the quality of a school’s incident response plan and information technology practices, they may very well factor in a school’s technological sophistication and use of technology in teaching and learning in deciding where to enroll. A school that experiences a significant data breach may be forced to significantly interrupt faculty and student use of technology systems such as e-mail, data storage and course websites, while it cleans up the mess. When put in the context of the disruption that data breach may cause to the daily business of learning and teaching, universities might consider becoming more proactive in their approach to preventing, detecting and responding to data breaches.