Higher ed struggles to secure its data

In aftermath of UCLA breach, schools forced to come to grips with the extent of their vulnerability. While breaches don't equal identity thefts, organized crime is working on exploiting their harvest of personal data.

It's no secret that colleges and universities have been a favorite target of hackers. They are repositories of juicy bits of personal information that data thieves love, and after the recent breach at UCLA, schools are grappling with how to patch the holes in their security systems, reports The New York Times.

There has been a rash of huge data breaches at large institutions in the last several years. 2006 set a record for higher-ed data breaches. Kevin Poulsen, senior editor for Wired News noted the dubious milestone on his blog last week.

"Rapid-fire announcements this week by U.C.L.A. (800,000 records) and Aetna (130,000) moved the total to the threshold, when Boeing revealed yesterday that a laptop recently stolen from an employee's car contained names, Social Security numbers and other data on 382,000 current and former employees of the aerospace giant — bringing the total to a grim 100,152,801 records (as of this post)."

Some of these breaches may have been thieves going for just the laptop, but at UCLA there is no doubt that the hackers entered the restricted database to get at the names, addresses, Social Security numbers and other private information of current and former students and faculty. It was a very sophisticated and well-planned breach that lasted for over a year before the breach was noticed.

A study conducted last year found that a whopping 43 percent of compromised data records were breached at higher education institutions.

"College and university databases are the ideal target for cyber criminals and unscrupulous insiders," said Ron Ben-Natan, the chief technology officer of Guardium, a database security and monitoring company based in Waltham, Mass. "They store large volumes of high-value data on students and parents, including financial aid, alumni and credit card records.

"At the same time," Mr. Ben-Natan continued, "these organizations need open networks to effectively support their faculty, students and corporate partners."

But how likely is it that these compromised records will wind up being used for identity theft? Not very, says one expert.

"The threat of identity theft from data losses is being greatly exaggerated," Fred H. Cate, the director of the Center for Applied Cybersecurity Research at Indiana University in Bloomington, said. "And that's because a lot of people have fallen into the trap of equating data loss with identity theft."

Others state that it is just a matter of time before criminals learn how to properly mined the information gleaned.

"At some point organized crime is going to get real organized and actually figure out what to do with the millions of identities and user accounts sitting on these thieves' computers," said Julie Fergerson, a vice president at Debix, an identity protection firm, and a board member of the Merchant Risk Council, an antifraud trade group. "Right now, there is just too much data, and the criminals simply have not figured out a way to commit crimes against a million individuals all at once."