What's behind the rash of university data breaches?

Purdue University last month reported its seventh data breach in the past four years. But Purdue is hardly alone. According to my records, over 300 publicized privacy incidents have occurred at U.S. institutions of higher learning since 2001, with at least 53 colleges and universities experiencing multiple breaches (see table at end of article).

The regular stream of university data-breach reports has prompted Adam Dodge, assistant director for information security at Eastern Illinois University, to devote a blog — Educational Security Incidents  — to the topic.

When I last covered the issue four years ago (see "Security breaches challenge academia's 'open society' "), universities were the leading sector for publicized breaches. The same is true today.

What's going on? Why haven't things changed?

John Correlli of Los Angeles-based JMC Privacy Consulting Group has some answers. Correlli recently published a detailed analysis of the topic, "Breaches in the Academia Sector." Correlli identifies the top three root causes of university breaches: unauthorized access, usually inside jobs; accidental online exposures; and stolen laptops.

"Privacy governance in academia is far too frequently thrown into the laps of the IT folks, who are then told, implicitly or explicitly, that privacy isn't a priority until it's a problem," Correlli told me.

Correlli also points to unique threats and vulnerabilities in academia:

  • The open nature of the university physical and technical environment.

  • Department fiefdoms inhibiting central policy enforcement.

  • A customer user population that is relatively low paid, lives "on site" and experiences high turnover.

There is some debate over whether students perpetrating intentional breaches or staff making unintentional data disclosures are the principal source of data risk within universities. I think both are worth monitoring, but would pay special attention to students. Why? Twice a year, college students are under extreme duress to produce results that their futures depend on. The statistics appear to bear this out.

Looking at the months of the reported breaches, peak activity occurs during the traditional finals weeks of fall and spring semesters. In contrast, the fewest breaches are reported during months when students aren't around (see graph).

Elevated data risk during finals week?

A monthly breakdown of university data breaches reported since 2001 shows January and May as the peak months. Allowing for a few weeks to detect and report these incidents, the actual peak in incident activity may be occurring during the final weeks of the fall and spring semesters. Number of reported breaches at universities, by month:

September                   19
October                         29
November                    24
December                    29
January                         42
February                       25
March                            36
April                               39
May                               43
June                             36
July                               24
August                         23

Source: Minnesota Privacy Consultants

Susan Blair, chief privacy officer at the University of Florida, generally agrees with Correlli. In a presentation she shared with me, Blair lists these as the top reasons for university breaches:

  • Data-rich information systems creating a natural target.

  • Outdated and nonenforced data-security safeguards.

  • Sophisticated intruders, with potential criminal intent.

  • Careless or inattentive data systems management.

  • Negligent hiring practices or employee misuse of data.

  • Demonstrated opportunities for repeat access.

  • Business partners or research sponsors who fail to protect information.

1 2 Page 1
Page 1 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon