On Jan. 22, the University of Chicago became aware of a cyberattack that targeted student records from its Biological Sciences department. According to ZDNet, university officials still aren’t certain when the hack started or how deep it went, but in a letter dated Feb. 22, the institution apologized for the threat to student and employee security and offered a one-year subscription to a credit-monitoring service. This isn’t the first time a university has been the victim of a data breach, and it certainly won’t be the last.

Known Quantities

University administrators now know that at least one Department of Medicine database was compromised, which included information about current students and employees in addition to data about former students, employees and even contractors.

The school’s letter indicates that stolen personal information ranges from names and Social Security numbers to employee IDs, usernames and physical addresses. However, it assured those affected that no banking information or other types of financial data were compromised.

Access to the database has been restricted while IT experts attempt to determine the exact scope of this data breach and for how long cybercriminals had access. So far, there’s no word on who might be responsible for the attack. The other unknown? Why universities keep popping up in the news for IT breaches.

Familiar Qualities?

Retail stores and health care agencies are both popular targets for cyberattacks because they deal with a high volume of sensitive consumer information, often with payment details attached. Post-secondary schools share some of these qualities, since students are required to provide a large amount of personal information and financial assurances to guarantee their enrollment. However, in comparison to the 70 million credit cards compromised in last year’s Target attack, the 300,000 students and faculty targeted at North Dakota University or the University of Maryland last year seem like just a drop in the bucket. With malicious actors now able to crack some of the world’s most complex and secure systems, why would they target universities?

There are two reasons. First, post-secondary IT security can sometimes be spotty. Several recent data breaches were successful because information wasn’t properly encrypted or network access policies simply weren’t up to snuff. The second reason is usability — students are typically slow to replace stolen cards or track credit ratings, and universities often wait months before disclosing the nature and scope of a breach. This leaves malicious actors with a significant amount of time to commit fraud without being detected and then move on to their next target.

The big lesson here for the University of Chicago and other post-secondary schools is that holding a large amount of student and employee records — both current and former — puts them on the same playing field as enterprises. Therefore, IT security must be tailored to match the value of assets, not assumptions.

Image Source: Flickr