US: Hackers hit universities' database 'jackpots'

Since 2008, 158 data breaches have compromised more than 2.3 million records at American higher education institutions, according to a recent report by Application Security, Inc, a US database safety company.

Identity theft has become the US' largest consumer complaint, according to the Federal Trade Commission (FTC), with nearly a million new victims each year. The problem has been exacerbated - and the illicit rewards made greater - by cyber criminals successfully hacking into the databases of semi-autonomous tertiary educational institutions.

"When an attacker gets access to university databases, it's like hitting the jackpot," says Josh Shaul, the New York-based Application Security's vice-president of product management.

One of the problems Shaul sees is that college databases contain such an extensive range of personally identifiable information (PII), from key financial information to "credit card numbers, social security numbers, and the healthcare records of employees, students, parents and alumni".

For larger institutions, with tens of thousands of students along with staff and faculty, "a university or college could be housing potentially billions of PII"," says Shaul.

The recent data breach at the University of Central Missouri is one example where large amounts of data were successfully captured.

According to the Identity Theft Resource Center (ITRC) in San Diego, California, two students there generated a virus to gain remote access to data associated with more than 90,000 faculty, staff, alumni and students through university computer labs and the library.

They credited their own student accounts and changed their grades during the 2009 autumn term before being stopped in their tracks while attempting to sell the information to an undercover FBI agent for $35,000.

Similarly, in August a laptop containing the social security numbers of more than 10,000 applicants to the West Hartford campus of the University of Connecticut was stolen. Administrators have been conducting damage control ever since - contacting the compromised individuals and offering them credit-monitoring coverage for two years at the university's expense.

The $204 per compromised record that Poneman Institute estimates it costs to remedy a breach pales in significance to the damage caused to an institution's reputation.

And the instances of such breaches are alarmingly high: the ITRC estimates that at least 57 breaches - compromising the records of nearly 800,000 people - have been made at higher education institutions this year alone.

Although institutions are aware of the threat, attempts to secure databases have tended to be sporadic and are usually implemented once the initial - and most insidious - breach has been made.

Acting proactively, even in small increments, however, can be all it takes to secure databases and avoid potentially disastrous breaches, says Shaul.

"One of the first and easiest steps is to ensure that the database systems have complex passwords in place and that default account logins and blank passwords have been replaced."

Although it has been suggested that the recent economic downturn has been responsible for the acceleration of this problem, Shaul notes, "the truth is that a significant uptick in data breaches started in 2005 when the economy was booming".

Students are also the targets of identity theft by various means, and most notably through their financial naivety and clean credit ratings. The FTC reports that 31% - nearly one-third - of all the identity theft victims in 2009 were under the age of 29 years.