FOR IMMEDIATE RELEASE
HALOCK Investigation finds that 25% of sampled colleges and universities are putting student and parent private financial data at risk
This information is susceptible to identity theft by hackers and criminals
Schaumburg, IL, July 29, 2013: Cybersecurity firm, HALOCK Security Labs, found that this back-to-school season may be an ideal time for data thieves to steal the personal and financial information of students and parents. HALOCK found that over 50% of the colleges and universities investigated allow for the transmission of sensitive information over unencrypted (and therefore unprotected) email as an option without directly promoting it and 25% of the institutions investigated advised applicants to send personal information, including W2’s, via unencrypted email to admissions and financial aid offices.
HALOCK sampled 162 institutions in the United States and found 41 that encouraged scanning and emailing unencrypted documents. The sample included Big 10, Big 8, Ivy League, community colleges and technical institutes and found security transgressions in all sectors. Unencrypted data transmissions could potentially place the personal information of many students, and their parents, at risk.
“When universities utilize unencrypted email as a method for submitting W2s and other sensitive documents, the information and attachments are transmitted as cleartext over the Internet. This format is susceptible to hackers and criminals who can use this private information for identity theft,” says Terry Kurzynski, Partner at HALOCK Security Labs.
The HALOCK investigation found unsecured data transmission via email is suggested or offered as an option in collegiate institutions located in California, Colorado, Connecticut, Florida, Idaho, Illinois, Iowa, Indiana, Kansas, Louisiana, Massachusetts, Michigan, Minnesota, Mississippi, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Texas, West Virginia and Wisconsin.
The investigation exposed significant liabilities for colleges and universities for failing to safeguard private information. “These are foreseeable risks that are extremely treatable. Security breaches resulting from this type of transmission will capture the attention of the states’ attorneys general and the Federal Trade Commission,” adds Kurzynski.
Universities are prime targets for hacker attacks and attempts at breaches happen daily. In a recent New York Times article, the University of Wisconsin cited that hackers from China are attempting to breach the university up to 100,000 times per day. Not only do universities maintain student and parent private information, they are also hubs for intellectual property and ground-breaking research – a rich target for hackers.
“Applicant information including social security numbers and tax information should only be transmitted electronically over encrypted and secured connections,” says Kurzynski.
Why don’t schools and universities take the necessary steps to safeguard sensitive information? Universities in general have limited budgets for information security, and therefore struggle to comply with the numerous laws and regulations regarding the data in their custody.
HALOCK suggests multiple compounding issues may be overwhelming to these institutions:
- Typical university cultures promote open access to information
- Transient and inexperienced student workers
- Limited security and compliance budgets
- Complicated and bureaucratic procurement processes
- Student hackers with lots of time to target the very university that is educating them
- Immature risk management
- Information technology changes are limited to seasonal university breaks
- Difficulty in educating the Board of Trustees on security risks
“Combine these factors with millions of private records (social security numbers, tax records, health records, banking information, etc.) and high-worth intellectual property (research, patents, etc.) and you’ve got a rich target for hackers. Imagine Fort Knox being guarded by a Scarecrow,” adds Kurzynski.
What should universities be doing?
Universities should not offer unencrypted email as a method of collecting student applicant information. A variety of solutions exist, including secure web portals and other secure transport architectures. At a minimum, any university that publicly publishes a contact email address in their financial aid and admissions web sites, should clearly state that this contact email address should not be used for sending private information. Additionally, schools need to integrate risk management into administrative and operations processes to surface foreseeable risks as well as develop treatment options.
What can parents and students do to protect themselves and their data?
Founded in 1996, HALOCK Security Labs is cyber security consulting company that strives to balance both business needs and information security requirements. HALOCK’s philosophy of “Purpose Driven Security” focuses on defining and implementing just the right amount of security; not too much, not too little. HALOCK’s services include: Security and Risk Management, Compliance Validation, Penetration Testing, Incident Response Readiness, Security Organization Development, and Malware Defense Strategy & Solutions. HALOCK is headquartered in Schaumburg, IL and advises clients throughout the US.
Are you prepared for a cyber security incident? Assess your incident response readiness. We can help if you have a security incident to help minimize the impact.
Incident Response Hotline: 800-925-0559
Don`t blame colleges and institutes. Any bureaucratic organisation has very similar security issues just because there is no one responsible in case security breach occurs.
I disagree that colleges and institutions are to be held blameless.
As a long-time employee at a major university in the Chicago area, I can tell you first-hand that phishing has become insidious. Everyday, my University email account is bombarded with phishing attempts that require both University and School level warning broadcasts. Also, to that very same email account, the University will allow you to download various sensitive personal documents, including W4s.
When you have lax users, who do not think twice about security issues, combined with loose institutional security, you have the makings of a serious problem. Several times, the University has issued warnings that various systems have been hacked.
It seems way to easy for University email systems to be accessed.