Dark Reading
Risky Business
Do more than just cursory scans. Develop
a holistic approach to app security.
Find out how!
Learn to take the ambiguity out of managing IT so you can guide your business forward.
Download now!
Use these tips from Gartner to identify the EPP solution that best suits your business.
Download now!
Schools Suffer One-Third of Total U.S. Data Breaches
New report reveals 12.4 million student and consumer profiles were compromised in 324 breaches at colleges, K-12 schoolsNov 13, 2008 | 05:11 PM
By Kelly Jackson HigginsDarkReading
School safety is taking on a whole new meaning: Nearly one-third of all U.S. data breaches occurred in K-12, colleges, and universities, a new study found.
And given that schools make up only about 0.6 percent of U.S. businesses and other organizations, that's a relatively disproportionate amount of breaches, says Joseph Campana, principal of J. Campana & Associates, which conducted the study (PDF).
Data from more than 12.4 million students, parents, faculty, and other consumers was exposed in 324 breaches, according to the report, which draws data from the Privacy Rights Clearinghouse. "Most of these breaches involved social security numbers or account numbers," Campana says. "If it was students and employees, it typically involved social security numbers. If it was parents, volunteers, or donors, it could be social security numbers or [credit card] account numbers."
More than one-third of the breaches were the result of lost, stolen, or missing computers, storage devices, magnetic tape, microfiche, and paper documents. Stolen or missing laptops made up 15 percent of these incidents. Hacking was the culprit in 24 percent of the cases, including both external and insider threats.
Not surprisingly, colleges and university were the bulk of the problem, with 79 percent of the breach incidents in the education sector. Earlier this week, the University of Florida became the latest victim, revealing that an intruder had broken into its College of Dentistry computers, potentially compromising the personal information of some 330,000 current and former patients.
K-12 schools suffered 15 percent of these breaches, but had the most (30 percent) breaches where the actual number of user profiles exposed was unknown, while colleges and universities had only 6 percent of such instances.
"This is a red flag that [K-12 schools] don't take inventory of the information they do have," Campana says. "That there were so many 'unknowns' surprised me."
Schools must make privacy a priority like they do with cracking down on gang activity, he adds. "If they are dealing with gangs or other discipline problems, it gets propagated through the schools. It's a matter of making privacy a priority."
That means training school risk managers to include privacy in their assessments, he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message
New Banking Trojan Discovered Targeting Businesses' Financial Accounts 02/09/2010
China Nudges Out U.S. For Most Bot-Infected Machines 02/09/2010
The Evolving Malware Threat: Is Your Organization Protected from All Angles? 02/17/2010
Daily log review sucks, here's how to make it easier 01/28/2010
DIGITAL ASSETS
The Tangled Web: Silent Threats & Invisible Enemies
02/02/2010
From the Field: A Hacker's Story
02/01/2010
Subscribe to RSSChina Nudges Out U.S. For Most Bot-Infected Machines
China Shutters Hacker 'Boot Camp'
GAO Report: NASA Still Facing Weaknesses In IT Security
MORE KEYHOLE
Published:2010-01-22
Severity:High
Description:SUSE Linux Enterprise 10 SP3 (SLE10-SP3) configures postfix to listen on all network interfaces, which might allow remote attackers to bypass intended access restrictions.
Published:2010-01-22
Severity:High
Description:The URL validation functionality in Microsoft Internet Explorer 7 and 8 does not properly process input parameters, which allows remote attackers to execute arbitrary local programs via a crafted URL, aka "URL Validation Vulnerability."
Published:2010-01-22
Severity:Medium
Description:ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta does not properly validate DNSSEC (1) NSEC and (2) NSEC3 records, which allows remote attackers to add the Authenticated Data (AD) flag to a forged NXDOMAIN response for an existing domain.
Published:2010-01-22
Severity:High
Description:Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2009-2530 and CVE-2009-2531.
Published:2010-01-22
Severity:High
Description:Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2009-3671, CVE-2009-3674, and CVE-2010-0246.
|
