Screen Shot 2014-03-19 at 11.15.12 PM

 

WASHINGTON — Mike King can’t come to terms with the fact that his Social Security number was stolen. The University of Maryland senior first heard about the data breach when he received a tip for The Diamondback, the student newspaper where he’s the editor-in-chief. Covering the breach was one of the few times King had difficulty removing his emotions from a story.

“Our Social Security numbers could be in the hands of anybody for the rest of our lives,” King said. “I don’t see how you couldn’t be upset about

caption here

University of Maryland senior Mike King was forced to separate his emotions as a victim of the university’s data breach from his duties as the editor-in-chief of his student paper. (Photo courtesy of  Charlie DeBoyace/The Diamondback)

this. I don’t see how this couldn’t be one of the worst things that’s ever happened to you.”

In late February, records of 287,580 Maryland students and faculty were breached, exposing names, Social Security numbers, dates of birth and university ID numbers to an unknown third party.

“It’s not something I would have ever thought would happen to a school like Maryland,” said University of Maryland senior Sharad Varadarajan. “I thought the security system would be basically unbreachable–but I guess this brought me back to reality.”

What surprised Varadarajan almost a month ago is, in fact, an increasingly unsurprising  occurrence in higher education.

At least three universities – Johns Hopkins, North Dakota and Point Park in Pittsburgh —  have experienced data breaches this month. Since the beginning of 2013, education institutions have had more than 52 publicized data breaches involving more than 3 million records, according to a database housed by Privacy Rights Clearinghouse, a nonprofit dedicated to informing the public about privacy protection.  Although it’s unclear whether universities are being targeted by hackers, they may be more vulnerable to attacks.

Decentralized systems

The University of Maryland has thousands of databases throughout its campus, including systems operated by individual administrative and academic units, University of Maryland President Wallace Loh wrote in a published letter. Such decentralization of data is not uncommon in higher education and makes universities more susceptible to data breaches, said Gabe Iovino, leader of the threat team at Internet security company IID.

caption

Maryland senior Sharad Varadajan was surprised that his school could not thwart a hacker. (Photo courtesy of Sharad Varadajan).

“I don’t know that was the case of the Maryland breach,” Iovino said. “I don’t know what department was running that, but my guess is there was a smaller IT team of that department managing that device.”

While universities typically have formal IT systems to secure sensitive data in universitywide systems, academic departments may have less formal IT teams managing their own data units. Universitywide systems – like that used by a school’s human resources department – typically have large teams of trained IT professionals that work to secure the “enterprise system,” Iovino said. Such teams often have more time, people and resources for securing IT systems than the fringe IT teams that maintain department servers.

“I’ve been involved in instances where some graduate student was managing the servers instead of a full-time web professional.” Iovino said. “Some departmental IT teams are just one person or maybe a part-time person.”

Universities’ main data systems are rarely compromised, he said.

“My guess is if you did some research on the last 10 breaches, I bet every one of those was a department-owned resource that didn’t have the same type of management capabilities as the enterprise group.”

But even central systems have been breached. The Maryland incident occurred in a database managed centrally, spokesman Brian Ullmann said. The university is not releasing the specifics of the breach for security reasons.

The weakest link

On March 6, members of the hacker group Anonymous posted data stolen from the Department of Biomedical Engineering server at Johns Hopkins University after officials refused to hand over the login information to the university’s main network. The data, which included names and contact information for about 848 current and former students, were stolen from a server used to maintain the Biomedical Engineering Department website.

One of the main questions the university is attempting to answer in its internal review is why course-related data was on the server for a department website, University spokesman Dennis O’Shea said in a statement.

A statement released by Loh, the University of Maryland president, similarly addressed the need to review the balance between “centralized versus decentralized IT systems.”

“We understand the needs of individual units to control their own servers and databases,” Loh said. “We must also ensure that safeguards at central and local levels are equally robust and tightly coordinated. Our university’s entire cybersecurity system is only as strong as its weakest link.”

The arms race

 The best way for universities to increase their data security is by consolidating their IT systems, Iovino said.

“Instead of having these, by definition, smaller departments administrating their own computer resources, they should bring that all under a central IT organization where they have the staff and resources to properly manage these systems.”

But even if universities consolidate their resources under one IT department, they face the challenge of securing a network used by thousands of unmanaged student devices.

Unlike corporations, university’s networks are not limited to use by pre-approved devices managed by an IT department. Students bring added risk by connecting their personal devices–such as laptops and game stations–to the university network.

The best way to protect against breaches through unmanaged devices is to segment the network, or put up a firewall between unmanaged devices and the part of the network that contains sensitive information, Iovino said. This would limit unmanaged devices, and therefor hackers’ access to the network.

“That is done at larger universities but it could probably be done even better,” Iovino said.

Many schools have increased their IT spending to try to protect against evolving cyberthreats.

The University of Maryland, for instance, doubled its IT security staff and annual investments in cybersecurity last year, Loh wrote in his statement.

“This is an arms race between hackers playing offense and universities playing defense,” Loh said. “…We will continue to make the necessary investments.”

But Iovino said it’s a race with no finish line.

“As a society, we don’t have the ability to eliminate IT (intrusions),” he said. “We can reduce them and we can reduce the impact. … There is no magic solution – that’s not the world we live in.”