HALOCK found that over 50% of the colleges and universities investigated allow for the transmission of sensitive information over unencrypted (and therefore unprotected) email as an option without directly promoting it and 25% of the institutions investigated advised applicants to send personal information, including W2’s, via unencrypted email to admissions and financial aid offices.
HALOCK sampled 162 institutions in the United States and found 41 that encouraged scanning and emailing unencrypted documents. The sample included Big 10, Big 8, Ivy League, community colleges and technical institutes and found security transgressions in all sectors. Unencrypted data transmissions could potentially place the personal information of many students, and their parents, at risk.
“When universities utilize unencrypted email as a method for submitting W2s and other sensitive documents, the information and attachments are transmitted as cleartext over the Internet. This format is susceptible to hackers and criminals who can use this private information for identity theft,” says Terry Kurzynski, Partner at HALOCK Security Labs.
The HALOCK investigation found unsecured data transmission via email is suggested or offered as an option in collegiate institutions located in California, Colorado, Connecticut, Florida, Idaho, Illinois, Iowa, Indiana, Kansas, Louisiana, Massachusetts, Michigan, Minnesota, Mississippi, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Texas, West Virginia and Wisconsin.
The investigation exposed significant liabilities for colleges and universities for failing to safeguard private information. “These are foreseeable risks that are extremely treatable. Breaches resulting from this type of transmission will capture the attention of the states’ attorneys general and the Federal Trade Commission,” adds Kurzynski.
Universities are prime targets for hacker attacks and attempts at breaches happen daily. In a recent New York Times article (7/16/13), the University of Wisconsin cited that hackers from China are attempting to breach the university up to 100,000 times per day. Not only do universities maintain student and parent private information, they are also hubs for intellectual property and ground-breaking research – a rich target for hackers.
“Applicant information including social security numbers and tax information should only be transmitted electronically over encrypted and secured connections,” says Kurzynski.
Why don’t schools and universities take the necessary steps to safeguard sensitive information? Universities in general have limited budgets for information security, and therefore struggle to comply with the numerous laws and regulations regarding the data in their custody.
Multiple compounding issues may be overwhelming to these institutions:
- Typical university cultures promote open access to information
- Transient and inexperienced student workers
- Limited security and compliance budgets
- Complicated and bureaucratic procurement processes
- Student hackers with lots of time to target the very university that is educating them
- Immature risk management
- Information technology changes are limited to seasonal university breaks
- Difficulty in educating the Board of Trustees on security risks.
“Combine these factors with millions of private records (social security numbers, tax records, health records, banking information, etc.) and high-worth intellectual property (research, patents, etc.) and you’ve got a rich target for hackers. Imagine Fort Knox being guarded by a Scarecrow,” adds Kurzynski.