What's behind the rash of university data breaches?

Computerworld - Purdue University last month reported its seventh data breach in the past four years. But Purdue is hardly alone. According to my records, over 300 publicized privacy incidents have occurred at U.S. institutions of higher learning since 2001, with at least 53 colleges and universities experiencing multiple breaches (see table at end of article).

The regular stream of university data-breach reports has prompted Adam Dodge, assistant director for information security at Eastern Illinois University, to devote a blog — Educational Security Incidents  — to the topic.

When I last covered the issue four years ago (see "Security breaches challenge academia's 'open society' "), universities were the leading sector for publicized breaches. The same is true today.

What's going on? Why haven't things changed?

John Correlli of Los Angeles-based JMC Privacy Consulting Group has some answers. Correlli recently published a detailed analysis of the topic, "Breaches in the Academia Sector." Correlli identifies the top three root causes of university breaches: unauthorized access, usually inside jobs; accidental online exposures; and stolen laptops.

"Privacy governance in academia is far too frequently thrown into the laps of the IT folks, who are then told, implicitly or explicitly, that privacy isn't a priority until it's a problem," Correlli told me.

Correlli also points to unique threats and vulnerabilities in academia:

• The open nature of the university physical and technical environment.
• Department fiefdoms inhibiting central policy enforcement.
• A customer user population that is relatively low paid, lives "on site" and experiences high turnover.

There is some debate over whether students perpetrating intentional breaches or staff making unintentional data disclosures are the principal source of data risk within universities. I think both are worth monitoring, but would pay special attention to students. Why? Twice a year, college students are under extreme duress to produce results that their futures depend on. The statistics appear to bear this out.

Looking at the months of the reported breaches, peak activity occurs during the traditional finals weeks of fall and spring semesters. In contrast, the fewest breaches are reported during months when students aren't around (see graph).

Susan Blair, chief privacy officer at the University of Florida, generally agrees with Correlli. In a presentation she shared with me, Blair lists these as the top reasons for university breaches:

• Data-rich information systems creating a natural target.
• Outdated and nonenforced data-security safeguards.
• Sophisticated intruders, with potential criminal intent.
• Careless or inattentive data systems management.
• Negligent hiring practices or employee misuse of data.
• Demonstrated opportunities for repeat access.
• Business partners or research sponsors who fail to protect information.