HALOCK sampled 162 institutions in the United States and found 41 that encouraged scanning and emailing unencrypted documents. The sample included Big 10, Big 8, Ivy League, community colleges and technical institutes and found security transgressions in all sectors. Unencrypted data transmissions could potentially place the personal information of many students, and their parents, at risk.
"When universities utilize unencrypted email as a method for submitting W2s and other sensitive documents, the information and attachments are transmitted as cleartext over the Internet. This format is susceptible to hackers and criminals who can use this private information for identity theft," says Terry Kurzynski, Partner at HALOCK Security Labs.
The HALOCK investigation found unsecured data transmission via email is suggested or offered as an option in collegiate institutions located in California, Colorado, Connecticut, Florida, Idaho, Illinois, Iowa, Indiana, Kansas, Louisiana, Massachusetts, Michigan, Minnesota, Mississippi, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Texas, West Virginia and Wisconsin.
The investigation exposed significant liabilities for colleges and universities for failing to safeguard private information. "These are foreseeable risks that are extremely treatable. Breaches resulting from this type of transmission will capture the attention of the states' attorneys general and the Federal Trade Commission," adds Kurzynski.
Universities are prime targets for hacker attacks and attempts at breaches happen daily. In a recent New York Times article* (7/16/13), the University of Wisconsin cited that hackers from China are attempting to breach the university up to 100,000 times per day. Not only do universities maintain student and parent private information, they are also hubs for intellectual property and ground-breaking research – a rich target for hackers.
"Applicant information including social security numbers and tax information should only be transmitted electronically over encrypted and secured connections," says Kurzynski.
Why don't schools and universities take the necessary steps to safeguard sensitive information? Universities in general have limited budgets for information security, and therefore struggle to comply with the numerous laws and regulations regarding the data in their custody.
HALOCK suggests multiple compounding issues may be overwhelming to these institutions:
Typical university cultures promote open access to information
Transient and inexperienced student workers
Limited security and compliance budgets
Complicated and bureaucratic procurement processes
Student hackers with lots of time to target the very university that is educating them
Immature risk management
Information technology changes are limited to seasonal university breaks
Difficulty in educating the Board of Trustees on security risks
"Combine these factors with millions of private records (social security numbers, tax records, health records, banking information, etc.) and high-worth intellectual property (research, patents, etc.) and you've got a rich target for hackers. Imagine Fort Knox being guarded by a Scarecrow," adds Kurzynski.
What should universities be doing?
Universities should not offer unencrypted email as a method of collecting student applicant information. A variety of solutions exist, including secure web portals and other secure transport architectures. At a minimum, any university that publicly publishes a contact email address in their financial aid and admissions web sites, should clearly state that this contact email address should not be used for sending private information. Additionally, schools need to integrate risk management into administrative and operations processes to surface foreseeable risks as well as develop treatment options.
What can parents and students do to protect themselves and their data?
About HALOCK www.halock.com:
Founded in 1996, HALOCK Security Labs is a hybrid security services firm that strives to balance both business needs and information security requirements. HALOCK's philosophy of "Purpose Driven Security" focuses on defining and implementing just the right amount of security; not too much, not too little. HALOCK's services include: Security and Risk Management, Compliance Validation, Penetration Testing, Incident Response Readiness, Security Organization Development, and Malware Defense Strategy & Solutions.