Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

Universities under Attack—Securing student, faculty, and staff’s personal information

Written by Thycotic Team

February 10th, 2015

Understanding the Size of the Education Industry

Sometimes, businesses find out about a data breach the hard way – this was the case for Butler University in May 2013. Police investigating a case of identity theft in California discovered a flash drive on one of their suspects that contained the personally identifiable information (PII) of employees at Butler University. When contacted, Butler University began an investigation and realized that the school’s network was compromised in November 2013 and remained in a compromised state until May 2014. Butler immediately sent out letters to those whose information was exposed explaining the breach and offering a year of free credit monitoring.

Colleges handle the personal information of many; 160,000 people connected to Butler University had their information exposed. Those affected included students, employees, faculty, and even applicants who didn’t end up attending the university. Not only is the information universities compile plentiful, but it is also kept in their databases for a long time – one woman whose information was exposed hadn’t taken a course there since 1983. The education industry is very large and has just as much sensitive data as any other sector, meaning that colleges and school systems need to be just as serious about security.

Universities are Businesses Too

Higher Ed institutions know this well, but sometimes it can be easy for students and alumni to forget: colleges and universities are, in fact, businesses. Students who make payments give their financial information to a school when money changes hands, and schools have employee data on file for employment records and payroll. Schools are held to the same PCI compliance standards as all other businesses.

But protecting personal information at a college or university can be more complicated than financial transactions – many universities provide health services for students and therefore have protected health information (PHI) on file. Because of this, those universities are required to be HIPAA-compliant and face grave consequences if this information is compromised. Because of the personal information they store, colleges can become targets of the same criminals trying to breach hospital networks – and face the same level of responsibility for protecting this data.

How Privileged Account Management Could have Reduced Butler’s Risk

Police say the suspect they found with a flash drive of Butler employees’ personal information had no connection to the University. This indicates that there was a vulnerability in the front-facing servers of the college’s network that allowed the attacker to gain remote access. The method the attacker used to get in was not specified – he could have used a password left as the default, brute-forced a weak password, or exploited a vulnerability that allowed him to escalate his privileges without needing a password. In any case, patching systems and applications is critical, especially those that face the public internet. Additionally, the fact the systems were in a compromised state for so long suggests passwords may not have been being changed regularly.

Butler should re-evaluate the security of its systems and change every password on the network. The IT team should generate strong passwords for all network systems, stay current with scheduled password changes, audit access and changes to privileged accounts, and manage who has access to accounts on the network.

The education industry has a lot of data to protect, and failing to do so will result in fines and a loss of credibility that could cost them business from prospective students. Read more about protecting privileged accounts at universities and watch a case study video by University of San Diego about how they protect their students’ data.