HALOCK Investigation Finds That 25% Of Sampled Colleges And Universities Are Putting Student And Parent Private Financial Data At Risk

HALOCK sampled 162 institutions in the United States and found 41 that encouraged scanning and emailing unencrypted documents

July 31, 2013

4 Min Read


Schaumburg, IL, July 29, 2013: Cybersecurity firm, HALOCK Security Labs, found that this back-to-school season may be an ideal time for data thieves to steal the personal and financial information of students and parents. HALOCK found that over 50% of the colleges and universities investigated allow for the transmission of sensitive information over unencrypted (and therefore unprotected) email as an option without directly promoting it and 25% of the institutions investigated advised applicants to send personal information, including W2's, via unencrypted email to admissions and financial aid offices.

HALOCK sampled 162 institutions in the United States and found 41 that encouraged scanning and emailing unencrypted documents. The sample included Big 10, Big 8, Ivy League, community colleges and technical institutes and found security transgressions in all sectors. Unencrypted data transmissions could potentially place the personal information of many students, and their parents, at risk.

"When universities utilize unencrypted email as a method for submitting W2s and other sensitive documents, the information and attachments are transmitted as cleartext over the Internet. This format is susceptible to hackers and criminals who can use this private information for identity theft," says Terry Kurzynski, Partner at HALOCK Security Labs.

The HALOCK investigation found unsecured data transmission via email is suggested or offered as an option in collegiate institutions located in California, Colorado, Connecticut, Florida, Idaho, Illinois, Iowa, Indiana, Kansas, Louisiana, Massachusetts, Michigan, Minnesota, Mississippi, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Texas, West Virginia and Wisconsin.

The investigation exposed significant liabilities for colleges and universities for failing to safeguard private information. "These are foreseeable risks that are extremely treatable. Breaches resulting from this type of transmission will capture the attention of the states' attorneys general and the Federal Trade Commission," adds Kurzynski.

Universities are prime targets for hacker attacks and attempts at breaches happen daily. In a recent New York Times article* (7/16/13), the University of Wisconsin cited that hackers from China are attempting to breach the university up to 100,000 times per day. Not only do universities maintain student and parent private information, they are also hubs for intellectual property and ground-breaking research – a rich target for hackers.

"Applicant information including social security numbers and tax information should only be transmitted electronically over encrypted and secured connections," says Kurzynski.

Why don't schools and universities take the necessary steps to safeguard sensitive information? Universities in general have limited budgets for information security, and therefore struggle to comply with the numerous laws and regulations regarding the data in their custody.

HALOCK suggests multiple compounding issues may be overwhelming to these institutions:

Typical university cultures promote open access to information

Transient and inexperienced student workers

Limited security and compliance budgets

Complicated and bureaucratic procurement processes

Student hackers with lots of time to target the very university that is educating them

Immature risk management

Information technology changes are limited to seasonal university breaks

Difficulty in educating the Board of Trustees on security risks

"Combine these factors with millions of private records (social security numbers, tax records, health records, banking information, etc.) and high-worth intellectual property (research, patents, etc.) and you've got a rich target for hackers. Imagine Fort Knox being guarded by a Scarecrow," adds Kurzynski.

What should universities be doing?

Universities should not offer unencrypted email as a method of collecting student applicant information. A variety of solutions exist, including secure web portals and other secure transport architectures. At a minimum, any university that publicly publishes a contact email address in their financial aid and admissions web sites, should clearly state that this contact email address should not be used for sending private information. Additionally, schools need to integrate risk management into administrative and operations processes to surface foreseeable risks as well as develop treatment options.

What can parents and students do to protect themselves and their data?

Parents should insist on a secure electronic transport mechanism that is encrypted or they should deliver documents in-person, through fax or certified mail. Parents should also request information regarding the university's policy on protecting private information often referenced as the "Information Privacy Policy" or the "Privacy Statement."

About HALOCK www.halock.com:

Founded in 1996, HALOCK Security Labs is a hybrid security services firm that strives to balance both business needs and information security requirements. HALOCK's philosophy of "Purpose Driven Security" focuses on defining and implementing just the right amount of security; not too much, not too little. HALOCK's services include: Security and Risk Management, Compliance Validation, Penetration Testing, Incident Response Readiness, Security Organization Development, and Malware Defense Strategy & Solutions.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights