Higher education breaches significantly down

In a year highlighted by the biggest data security breaches on record, the higher education vertical appears to have had a reprieve relative to prior years in terms of overall breaches reported and the corresponding number of total records breached.

In 2011, there was a dramatic decrease in the total number of reported records affected (478,490), as well as institutions (48) that reported breaches. Both figures are all-time lows since data breach recording began in 2005, according to Application Security’s TeamSHATTER.

The unwanted distinction of suffering the largest reported data breach in 2011 by a U.S.-based institution of higher learning came from Virginia Commonwealth University (VCU), which reported a breach of 176,567 records on November 11, 2011.

Rounding out the 2011 Higher Education Data Breach Madness “Final Four” were the University of Wisconsin Milwaukee (79,000), Yale University (43,000) and the University of South Carolina (31,000).

VCU became the 21st higher education institution since 2005 to report a data breach in excess of 100,000 records and was the only one to eclipse that number in 2011. Three institutions exceeded the 100,000 mark in 2010. In 2005 – the first year reported data breaches were recorded – six higher education schools surpassed 100,000.

According to the Ponemon Institute’s most recent “Annual Study: U.S. Cost of a Data Breach” (March 2011), the findings showed that the average cost to organizations per compromised record was $214, though in the education vertical the average cost was far lower at $112 per record. However, based on the lower education average, the VCU data breach could cost the university nearly $20 million.

The “winner” of last year’s “Madness’ was Ohio State University, which suffered a breach consisting of a reported 750,000 compromised records, which is the second highest U.S.-based higher education breach total on record. UCLA holds the record with 800,000 compromised records, reported in 2006.

2012 has already seen some notable breaches, namely that from Arizona State University (ASU), which reported a breach of 300,000 records in January, tying the school for fourth highest U.S. higher education breach of all-time.

Other significant breaches reported have come from the City College of San Francisco, University of North Carolina Charlotte and Central Connecticut State University.

“While it is encouraging to see the both number of reported higher education breaches and records breached significantly down from 2011, security and operations personnel should not relax their data security efforts,” said Alex Rothacker, Director of Security Research, AppSecInc’s TeamSHATTER. “In 2012 we have already seen some sizable breaches reported, and while exact data on the number of records compromised is not official, we estimate that this year’s total has already exceeded that of 2011.”

Based on publicly reported data breaches compiled by Privacy Rights Clearinghouse, the Data Breach Madness bracket’s reflected outcome is specific to the total number of records breached at each higher education institution.

The larger the breach, the further each institution went on in the “tournament”, until an eventual “champion” was crowned.