Welcome Guest. | Log In| Register | Membership Benefits
  • Email this page E-mail this page
  • |  Print Print this page
  • |   Bookmark and Share

Schools Suffer One-Third of Total U.S. Data Breaches

New report reveals 12.4 million student and consumer profiles were compromised in 324 breaches at colleges, K-12 schools

Nov 13, 2008 | 05:11 PM

By Kelly Jackson Higgins
DarkReading

School safety is taking on a whole new meaning: Nearly one-third of all U.S. data breaches occurred in K-12, colleges, and universities, a new study found.

And given that schools make up only about 0.6 percent of U.S. businesses and other organizations, that's a relatively disproportionate amount of breaches, says Joseph Campana, principal of J. Campana & Associates, which conducted the study (PDF).

Data from more than 12.4 million students, parents, faculty, and other consumers was exposed in 324 breaches, according to the report, which draws data from the Privacy Rights Clearinghouse. "Most of these breaches involved social security numbers or account numbers," Campana says. "If it was students and employees, it typically involved social security numbers. If it was parents, volunteers, or donors, it could be social security numbers or [credit card] account numbers."

More than one-third of the breaches were the result of lost, stolen, or missing computers, storage devices, magnetic tape, microfiche, and paper documents. Stolen or missing laptops made up 15 percent of these incidents. Hacking was the culprit in 24 percent of the cases, including both external and insider threats.

Not surprisingly, colleges and university were the bulk of the problem, with 79 percent of the breach incidents in the education sector. Earlier this week, the University of Florida became the latest victim, revealing that an intruder had broken into its College of Dentistry computers, potentially compromising the personal information of some 330,000 current and former patients.

K-12 schools suffered 15 percent of these breaches, but had the most (30 percent) breaches where the actual number of user profiles exposed was unknown, while colleges and universities had only 6 percent of such instances.

"This is a red flag that [K-12 schools] don't take inventory of the information they do have," Campana says. "That there were so many 'unknowns' surprised me."

Schools must make privacy a priority like they do with cracking down on gang activity, he adds. "If they are dealing with gangs or other discipline problems, it gets propagated through the schools. It's a matter of making privacy a priority."

That means training school risk managers to include privacy in their assessments, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message


Subscribe to RSS










Bugs
ENTERPRISE VULNERABILITIES
Vulnerability:ghostscript
Published:2010-07-22
Severity:High
Description:Buffer overflow in gs/psi/iscan.c in Ghostscript 8.64 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PDF document containing a long name.
Vulnerability:small pirate
Published:2010-07-22
Severity:High
Description:Multiple SQL injection vulnerabilities in Small Pirate (SPirate) 2.1 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to the default URI in an rss .xml action, or the id parameter to (2) pag1.php, (3) pag1-guest.php, (4) rss-comment_post.php (aka rss-coment_post.php), or (5) rss-pic-comment.php.
Vulnerability:small pirate
Published:2010-07-22
Severity:Medium
Description:Cross-site scripting (XSS) vulnerability in Small Pirate (SPirate) 2.1 allows remote attackers to inject arbitrary web script or HTML via an onmouseover action in an img BBCode tag within a url BBCode tag.
Vulnerability:com jvideo
Published:2010-07-22
Severity:High
Description:SQL injection vulnerability in the JVideo! (com_jvideo) component 0.3.11c Beta and 0.3.x for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter in a user action to index.php.
Vulnerability:adpeeps
Published:2010-07-22
Severity:Medium
Description:Multiple cross-site scripting (XSS) vulnerabilities in index.php in AdPeeps 8.5d1 allow remote attackers to inject arbitrary web script or HTML via the (1) uid parameter, (2) uid parameter in a login_lookup action, (3) uid parameter in an adminlogin action, (4) campaignid parameter in a createcampaign action, (5) type parameter in a view_account_stats action, (6) period parameter in a view_account_stats action, (7) uid parameter in a view_adrates action, (8) accname parameter in an account_confirmation action, (9) loginpass parameter in an account_confirmation action, (10) e9 parameter in a setup_account action, (11) from parameter in an email_advertisers action, (12) message parameter in an email_advertisers action, (13) idno parameter in an edit_ad_package action, (14) Advertiser Name field, (15) First Name field, (16) Last Name field, (17) Address field, (18) Phone Number field, (19) Password Hint field, or (20) URL field; and (21) allow remote authenticated users to inject arbitrary web script or HTML via an unspecified form associated with a view_adrates action.


Briefing Centers
POWERFUL INFORMATION
AT YOUR FINGERTIPS
(SPONSORED LINKS)