The Security Catalyst

By Adam Dodge

‘Tis that time of year when Top Ten lists abound to remind us of what we lived through only a few short months ago. Luckily, The Security Catalyst writers are above such seasonal sensationalism… or am I?

I am currently working to compile a “Year in Review” of sorts on all of the reported security incidents that have occurred in 2006 at institutions of higher education. This report will be based on my research of such news reports, found at Educational Security Incidents (ESI), and will hopefully be posted by mid-January. (Note: I admit this is a shameless plug, but you do not have to care about ESI. I promise I will not be offended.) As I review the past years incidents, I have noticed that a few of them have sort of stand out for one reason or another.

Mulling over these anomalies I have come to the conclusion that these incidents hold some significance that set them part from the other incidents. Some of them jump out because of the number of individuals affected, others jump out because of the type of incident that has occurred. Still more jump out because they result from circumstances that really should never have occurred. Without further ado, I bring you:

Adam’s Top Ten Most Significant Educational Security Incidents of 2006

(in chronological order)

1. Metropoloitan State College - March 3, 2006: A laptop containing 93,000 student records is stolen from an employee’s car. Why were so many records on the laptop? The employee was using them as part of their master’s degree research. This is one of those incidents that probably should have never occurred.
2. Georgetown University - March 6, 2003: The US Secret Service is called in to investigate the exposure of 41,000 records belonging to an Office of the Aging grant project at Georgetown. This incident emphasizes the fact that there is more then just student or staff information at colleges and universities we need to protect.
3. Ohio University - May 6, 2006: Two different breaches expose upwards of 300,000 records. This incident is important since it was one of the first large scale incidents to gain media attention.
4. California State University, Stanislaus - May 26, 2006: Google’s Google Cache service indexes and makes available student information that was accidentally put up on Stanislaus’ web site for a short period in October 2005. This incident is a great example of the difficulty of controlling information once a leak has occurred.
5. Univerity of Kentucky - June 22, 2006: A USB jump drive containing 18 years worth of student data (including grades, names and SSNs) is stolen after a professor left the drive in a classroom. This type of incident will only become more and more common unless controls and policies are implemented prohibiting the use of such devices to store personal and/or sensitive information.
6. Berry College - September 20, 2006: A contractor “misplaces” over 2,000 financial aid records at a local airport. This is an excellent example of why it is important for colleges and universities to make sure that contracted third parties take the protection of client information seriously and have safeguards in place to prevent this type of incident.
7. Sacred Heart University - September 27, 2006: Stacy Koblinski is notified that her information was exposed during a recent security breach even though Ms. Koblinski is not a Sacred Heart student. With the increased sharing of student information and the collection of non-student information, the effects of security incidents can be felt far outside the campus community.
8. St. Norbert College - October 28, 2006: St Norbert College notifies the campus community about a failed breach attempt and urged anyone that noticed unusual activity to alert the college. This incident is an amazing example of exactly what every educational institution should strive to do. Kudos to the staff at St Norbert College!
9. Nassau Community College - December 5, 2006: A printout of all 21,000 student records is stolen off the desk of an employee. This incident is a perfect example of how security incidents involve information and not technology.
10. University of California, Los Angeles - December 12, 2006: A database breach exposes 800,000 records. The shear number of records exposed in this incident automatically gives it a spot on this list.

If you enjoyed this post, make sure you subscribe to my RSS feed!