Higher Education Has A Lot To Learn About Data Breaches

Data breaches present a major problem for colleges and universities

getty

Columbia University recently disclosed that it had suffered a data breach in May that was discovered in June, but not officially disclosed until August.7^th. According to public filings 868,969 people had their personal information compromised. The compromised information included names, Social Security numbers, birth dates and much more information that can readily lead to identity theft. The number of people affected may seem high considering the fact that Columbia only employs approximately 20,000 people and has an enrollment of approximately 35,000 students. This discrepancy is due to the fact that Columbia kept sensitive personal information on both current and former students as well as applicants including people who never were accepted or attended Columbia.

Data breaches at colleges and universities are common. In the last 20 years American educational institutions experienced 3, 173 data breaches compromising more than 37.6 million records. The worse year for such data breaches was in 2023 when there were 954 data breaches, largely attributable to the MOVEit file transfer software supply chain hack which alone affected more than 800 institutions using the corrupted software. Among the schools suffering a data breach in 2023 as a result of the MOVEit hacking was the University of Georgia where names, birth dates and Social Security numbers were among the compromised information lost affecting 800,000 students, former students, faculty and staff.

Colleges and universities present the perfect storm for data breaches as they maintain both vast amounts of valuable intellectual property and research data as well as large amounts of sensitive personal information sought by corporate spies, foreign governments, identity thieves and ransomware gangs. Couple this with often outdated computer security systems, and open and decentralized networks and you have a recipe for disaster. The extensive use of Internet of Things devices also opens a new area of vulnerability exploitable by sophisticated hackers.

Basic steps to protect such sensitive data such as encryption and requirement of dual factor authentication are often not taken. In addition, many schools do not have sufficient security programs in place to limit access to personal information which the universities keep in their computers long after it is necessary to be kept, such as Social Security numbers for students who have long since graduated or any information about applicants who were never admitted.

Colleges and universities must make a greater commitment to data security. Data breach prevention systems should be implemented that include, but not be limited to updated firewalls, limiting access to personal information, purging of unnecessary information, dual factor authentication and encryption.

WHAT SHOULD YOU DO IF YOU ARE A VICTIM OF A DATA BREACH?

Victims of this data breach should freeze their credit if they have not already done so. Actually, freezing your credit is something everyone should do. It is free and easy to do. It protects you from someone using your identity to obtain loans or make large purchases even if they have your Social Security number. If you have not already done so, put a credit freeze on your credit reports at each of the major credit reporting agencies. Here are links to each of them with instructions about how to get a credit freeze:

Equifax

TransUnion

Experian

Everyone also should monitor their credit reports regularly for indications of identity theft. The three major credit reporting agencies now provide free weekly access to your credit reports so you can monitor your credit reports easily on your own. Some scammers have websites that appear to offer “free” credit reports, but if you read the fine print, you often may find that you have signed up for unnecessary services. Here is the only link to use to get your free credit report.

Finally, be wary of anyone who calls you offering to help you in regard to a data breach who asks for personal information as that is a favorite tactic of hackers to lure you into providing additional personal information that can lead to your becoming a victim of identity theft. Also, as always, never click on a link or download an attachment to an email or text message unless you have absolutely confirmed that it is legitimate and don’t provide personal information in response to an email, text message or phone call unless you have absolutely confirmed that the communication was legitimate.