University Databases In the Bull's EyeRecent wave of university hacks nationwide exposes vestiges of former practice of using social security number as identifiers
A high-profile breach announced this week at the University of Hawaii (UH) Manoa was the latest in a rash of summertime university database exposures -- and it serves as a reminder of how much work postsecondary institutions still must do to improve their data security practices.
The UH Manoa breach affected approximately 53,000 students, faculty, and other customers of the university's parking facilities. It was the result of a hacker gaining entry into a server containing a database full of parking facility customer information, including social security numbers and credit card data.
The education vertical has been hit by at least three other glaring database breaches at big universities across the country during the past few months, comprising:
- a breach at the University of Maine, which exposed a database that included names, social security numbers, and clinical information for every student who had used the school's counseling center services since the summer of 2002;
- a vulnerability in an academic tracking database at Florida International University, which exposed GPAs, test scores, and social security numbers of more than 19,000 students; and
- a botnet infection on a PC owned by Penn State University, which was transmitting personal information from a pool of nearly 16,000 records stored in a cached copy of a database of social security numbers once housed on that machine. The original database had been deleted after the university discontinued the use of social security numbers as identifiers five years ago, but the copy remained.
This spate of breaches at higher-education institutions is hardly a surprise to security experts.
"When you think about it, educational institutions have a wealth of information," says Thom VanHorn, vice president of global marketing for Application Security Inc. "They obviously have records on the students themselves, they have social security numbers, they have health records, and they also have financial information from the parents who are paying the bills. So they have a lot of very marketable data, which makes them a very attractive target."
The social security numbers, in particular, are a hot button issue. Many universities have historically repurposed social security numbers as student identifiers -- a practice that has been abandoned by most organizations in light of the dangers it puts on student records. However, the vestiges of records from when that was common still remains on many systems: The Penn State breach is a perfect example of how that can happen.
"In a lot of instances, you can also still find that stuff on test databases, and there may be some legacy test databases that still have information like that," VanHorn says. "That's why it's so important for organizations not only to protect their production databases, but also to protect databases that are connected to the network that were test databases, because the database infrastructure is only as strong as its weakest link. Once you're on the network, you can probe around and you can find test databases that have actual data."
While the database breaches hitting higher education institutions this summer are a fresh reminder of why data security is so important, the fact is these latest incidents are just a few isolated beads in a string of incidents that date back far beyond this year. According to Rich Mogull, analyst with Securosis, these types of breaches have been going on so long he'd hardly class them as news anymore.
"Education has been one of the most frequently targeted verticals out there," he says. "It's not like a business; universities are very distributed organizations, and they tend to have more open networks. And the fact is that not all of their systems are maintained all that well."
He recommends educational institutions work on better segmenting their networks to protect more valuable information and work to improve their vulnerability assessment processes. One of the most important ways to get started is to initiate a thorough data discovery process to figure out where all of the sensitive data resides both in and out of databases scattered across the network. He says the free Cornell Spider tool is one created just for these organizations embarking on a data discovery hunt, and is worth a look.
But even more critical is that educational institutions begin to shift their political and organizational climates to make it possible for IT to make meaningful security changes that will prevent incidents in the future. "And that's what's hard," Mogull says. "There's no easy answer there."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.