Universities especially vulnerable to ID theft

Dec 19, 2006 3:26 PM

Universities have become attractive targets for hackers who are taking advantage of the openness of the schools' networks, their decentralized security and the personal information they keep on millions of young adults, The Associated Press reports.

A major database breach at the University of California, Los Angeles (UCLA), that went undetected for more than a year and a smaller breach at the University of Texas are the latest examples of how vulnerable colleges are to such attacks.

Officials at UCLA alerted about 800,000 current and former students, faculty and staff last week that their names and certain personal information were exposed after a hacker broke into a campus computer system.

Only a small percentage -- "far less than 5 percent" -- of the records in the database were actually accessed, UCLA spokesman Jim Davis told The Associated Press.

Universities account for more than 50 data breaches on a list of more than 300 so far this year as tracked by the Privacy Rights Clearinghouse.

The UCLA breach was discovered Nov. 21 when the university noticed a hacker was fishing through the database specifically for names and Social Security numbers. Officials said the hacks date back to at least October 2005.

Hackers also might have obtained the personal information of 6,000 people who worked for, applied to or attended the University of Texas at Dallas, school officials said last week. The information includes names and Social Security numbers, the school said. In some cases, addresses, e-mail addresses and telephone numbers also might have been obtained.

One reason university databases make such attractive targets is that Social Security numbers are routinely used to identify students. "It is about time that Social Security numbers receive more protection or that they no longer be used for identifying individuals within the university system," Beth Givens, the Privacy Rights Clearinghouse director, tells The AP.

UCLA no longer uses Social Security numbers to identify students, Davis says. In addition, the school has tightened security by requiring that all computers connecting to its networks be inspected and have the latest anti-virus software and other security programs installed.

Davis says the university tries to balance the need for libraries and other research facilities to have more open access to data with the need to keep sensitive information concentrated and secure. "We are striving very hard to strike exactly the right balance, recognizing we do need to protect information," he says. "But we don't want to undercut the way the university works in regards to open communications."

Universities also need to communicate freely with other educational institutions and the public to foster research.

Despite several attempts, there is no strong federal law mandating that universities notify everyone whose information has been compromised due to security breaches. Laws in 33 states vary in notification requirements placed on universities and corporations.

Credit card numbers, Social Security numbers, dates of birth and other items of personal information can be sold on the black market and used to make illegal online purchases. Young adults, with their usually blank credit histories, make ideal targets for identity theft.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue