Hardly a day goes by without a media report about a data breach that exposes the personally identifiable information (PII) of individuals. And unlike 2013 and 2014, where national retailers made headlines, now it is “cornerstone” institutions – hospitals, insurance companies and colleges/universities. While much of the news regarding data breaches focuses on the harm to consumers, data breaches also harm the organization experiencing the breach. Potential direct financial costs of a data breach include legal representation, fines (depending on the nature of the breach), and the expense of notifying affected individuals.
Organizations also face losses in reputation and consumer confidence. Particularly important for higher education institutions are reputational consequences, which could result in a loss of alumni donations and even a reduction in the number of students choosing to apply to or attend the institution.
As long as there are cyber criminals, data breaches will continue, and educational institutions are increasingly becoming a favorite target because of the sheer volume of student information they handle – and the fact that payment processing happens all over campus, from the ticketing office to the bursar’s office to the cafeteria. In 2014, there were over 30 educational institutions that experienced data breaches. The leading cause – 60% of the breaches – was malware.
Since 2005, the Privacy Rights Clearinghouse (PRC) has documented over 727 breaches involving educational institutions, with more than 14 million breached records. The number of breaches involve higher education institutions as well as trade schools, K–12 schools and school districts, and education-related nonprofit organizations.
Just this month, the University of Virginia (UVA) reported an attack on their university network. The incident is simply the latest in a line of attacks against educational institutions, several of which have been reported as originating in China. UVA conducted an investigation and while banking information and social security numbers were secure, the university had to take down its IT systems as part of a comprehensive security upgrade.
Earlier this year, Pennsylvania State University’s college of engineering revealed that it had suffered multiple data breaches over the past several years that forensic investigators at the cybersecurity firm FireEye (FEYE) have traced back to China. And last year, both Johns Hopkins University and the University of Maryland announced that they had fallen victim to data breaches as well.
The list goes on and on, from UConn to Harvard, and the aftermath is the same: investigations reveal that the damage has already been done, personal and payment information has been confiscated, and the process of informing students, alumni and donors begins. And updating security systems, and notifications to change passwords just doesn’t seem to be cutting when it comes to a total solution to securing all types of data.
In January, over 2,000 current and former employees and students of the University of Chicago, Department of Medicine, had their information exposed through a breach of the University’s Biological Sciences Division (BSD) database. According to DataBreaches.net, who first reported on the incident, the Carbonic hacker collective took credit for the data breach and said they were able to perform the hack by leveraging a vulnerability and accessing a server that included salary and patient data.
A quick summary by SC Magazine on the breach reveals that the number of victims is undisclosed, that according to a notification letter signed by Kenneth Goodell, executive administrator of the Department of Medicine, and Everett Vokes, chairman of the Department of Medicine, “We have corrected the vulnerability and taken steps to prevent similar problems from occurring in the future.”
So really, are we to believe that an external attack couldn’t happen again to any of the Universities mentioned above?
According to the Ponemon Institute / IBM Cost of Data Breach Study, the per-record cost of a data breach reached $154 in 2014, up 12% from 2013’s $145. Times that by the thousands, perhaps millions of faculty members, alumni donators, and students – past and present – within a breached educational institution, and it’s clear that cleaning up the mess of a data breach after the fact is not an effective plan to keep data secure.
Educational institutions, as well as all businesses that store cardholder data, need a layered approach to data security, and that starts with PCI-validated Point-to-Point Encryption (P2PE). Bluefin’s PCI-validated P2PE encrypts cardholder data at the point of entry – at swipe – preventing clear-text cardholder date from being present in a merchant or enterprise’s system or network where it could be accessible in the event of a data breach. Our security solutions span every payment acceptance method, from mobile, to retail, to kiosk and unattended, to call center, to online.
With reputations and consumer confidence at stake that could result in a reduction in alumni donations or student enrollment, it is time for a better plan. Learn more about Bluefin’s P2PE and how we can help your institution secure your brand and your business today.