The more than 300,000 students, faculty and staff affected will receive no-cost credit protection services, and the university is launching a “top to bottom” investigation of all computing and information services to include:
- Scanning of every university database to find where sensitive personal information is located, so it may be purged or protected.
- Penetration testing of the university’s security to identify and seal any vulnerabilities.
- The university will also review centralized vs. decentralized systems to coordinate security and safeguards.
Employees of the University of Northern Iowa (UNI) might agree with Loh’s assessment of universities as targets. When attempting to file tax returns, some discovered that their Social Security numbers had already been used by other tax filers. While UNI has yet to find evidence of compromised databases, the University of Maryland’s experience prompted UNI to call in law enforcement and the IRS, provide credit monitoring and take other steps.
Indiana University also just joined the ranks of security dropouts, announcing Feb. 25 that names, addresses and Social Security numbers of nearly 150,000 students and recent graduates may have been exposed during a data breach. The data was reportedly stored in an unsecured location for nearly a year.
Legislative bodies are taking note of the increased collection of student digital data, and in Kansas, for example, the Legislature is moving to ensure better privacy for student information. Hackers, however, don’t often follow the law, and so strong policy must be matched by equally strong IT security practices.