By Elizabeth Murphy
Collegian Staff Writer
February 26, 2008
Information security breaches at colleges and universities are on the
rise, according to a report released earlier this month.
The report, Educational Security Incidents (ESI) Year in Review,
spotlights institutions worldwide, and Penn State was included in the
report with one data breach last year.
In September, the Social Security numbers of more than 10,500 marines
were inadvertently posted on a Penn State Web site. The names and
numbers were compiled for a research project being conducted at Penn
State, according to the report.
"My goal with ESI is to, hopefully, increase awareness within higher
education that not only is information security a concern, but that the
threats to college and university information is not as simple as
network and/or computer attacks," Adam Dodge, ESI creator, wrote in an
The report indicated that there were a total 139 incidents at
institutions during 2007, a 67.5 percent increase since 2006. The total
number of institutions affected by data breaches also went up to 112, a
72.3 percent increase since 2006.
The report also shows the majority of information breaches at colleges
came from unintentional leaks, rather than hackers. But Penn State
Information Technology Vice Provost Kevin Morooney said he isn't sure
how deeply anyone should read into the report.
"I'm ignoring the report," he said. "Hackers are a constant and daily
threat at the university, and we have many things put in place to
mitigate the risk."
Morooney said the IT team at Penn State has many preventative measures
in place, including the switch from Social Security numbers to student
ID numbers as the primary identifier three years ago.
Another potential data breach involved a laptop containing archived
information, including Social Security numbers for 677 students who
attended Penn State between 1999 and 2004, that was stolen from a
faculty member while traveling in January. This incident was not
included in ESI's 2007 report.
Morooney said Penn State provides anti-virus software for faculty and
students and utilizes an intrusion detection system that notifies
Information Technology Services (ITS) if a computer is compromised. More
recently, ITS has been scanning hundreds of computers in search of
sensitive data to make them safer for faculty.
"It comes down to people realizing how important it is as individuals to
take individual action because it will breed institutional reaction as
well," Morooney said. "I think there is a heightened sense of awareness,
but it is not where it needs to be."
Morooney said people have a heightened concern about privacy but don't
take computer information as seriously. He said someone hacking into a
person's computer is just like someone breaking into a person's home.
Dodge said people need to protect their private digital information
better by utilizing protection programs and just being knowledgeable
about the risks.
"In the end, the goal is to have technical and non-technical security
programs that complement and reinforce each other," Dodge wrote.
Dodge also wrote that data breaches will continue to happen, but it is
now up to the colleges and universities to take the steps to make them
few and far between.
"One of the most important ways that colleges and universities can
control breaches and data leakage is to educate employees about the
risks and to ensure that employees understand that information security
is everyone's responsibility," Dodge wrote.
Subscribe to InfoSec News