informa
News

Hackers Go Back to Schools

Universities suffer about 43 percent of all security breaches, and their defenses aren't getting much better, according to AARP

Just sent your kid off to college? Beware: Colleges and universities are still the most likely victims of a security breach, according to a new study by the AARP Public Policy Institute. And one-third of all breaches in the study originated from hackers breaking into computer systems to steal personal data.

The study analyzes data gathered by the Identity Theft Resource Center on 244 publicly disclosed breaches reported between January 1, 2005 to May 26, 2006, which had potentially exposed the names of 89.8 million people.

Educational institutions suffered the brunt of the breaches, with 43 percent; government, 17 percent; business, 15 percent; financial services, 13 percent; and healthcare organizations, 12 percent.

High-profile laptop thefts aside, hacking still accounted for the most overall breaches, with 33 percent. Physical theft of laptops and other data equipment accounted for 29 percent of the incidents. The insider threat wasn't a big factor, registering only 6 percent of the breaches and 7 percent of lost backups, according to the study.

But when you put the hackers and insider breaches together, it's all about targeted attacks. "Some of it may be accidental, but you know that at least 40 percent of these were someone trying to get into those 50 million names in those databases," says Neal Walters, policy research analyst for the AARP Policy Institute.

Walters says what surprised him most in the findings was how pervasive personal data really is online. "People say things like 'I don't shop online, so I don't have to worry about it.' But if you look at the range of entities suffering breaches, if you exist, you're in a database somewhere -- in government, healthcare," he says. "You can't avoid being at risk."

For educational institutions, hacker attacks are the most common breach (over 50 percent), and healthcare and financial institutions typically suffer breaches from physical theft of computers, equipment, or paper files (20 percent and 14 percent, respectively), according to the study. For government agencies, the problem is more about improperly displaying sensitive personal information, meaning the data was inadvertently made available via a public Website or files weren't disposed of properly. That accounted for 17 percent of agency breaches.

Even though schools have the highest number of breaches, their potential for identity fraud was less at 3.6 million victims versus that of financial institutions (47 million) and government agencies (34.1 million).

The bad news is the main victim organizations identified in the study, universities and government agencies, for instance, don't have the financial pressures or incentives a big business would have to tighten up security and protect identity theft, says AARP's Walters. "You're not going to not go to Stanford because they had a data breach a few years ago," Walters says, so there's no cost motivation for universities to improve their security.

Gary McGraw, CTO of Cigital, says AARP's raising awareness of identity theft for its members makes sense, but users also need guidelines in how to protect themselves. "It would be nice to explain to people what they can do to make it less likely for them to become a victim."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Cigital Inc.
  • Recommended Reading: