LifeLock Blog

August was an especially busy month for hackers, thieves and inept university IT employees. There were nine reported data breaches at American educational institutions last month—hackers were blamed for two; thieves for three; and, inept employees who inadvertently exposed personally identifying information caused three more.

The ninth incident occurred at the University of Texas, Brownsville and involved student and employee fraud. The security breach involved stolen test answers and no personally identifying information was revealed.

The total reported number of compromised records is low—roughly 2,000—but three of the universities failed to reveal the number of compromised records, so the total is undoubtedly higher.

• University of Oregon
  Unauthorized disclosure
  Roughly 20 student records exposed because of a flaw in the university’s degree auditing system.
• University of California, Berkeley
  School of Journalism
  Hacking
  Names, birth dates, and Social Security numbers of 493 students who applied for admission between September 2007 and May 2009 were vulnerable when the school’s web server was breached.
• Louisiana State University
  Unauthorized disclosure
  Number of affected records unknown
  Students’ personal information, including names and Social Security numbers, was inadvertently posted on an LSU web site.
• Northern Kentucky University
  Computer theft
  Names and Social Security numbers of at least 200 current and former students were contained on a laptop stolen from an on-campus, secured location. There was no mention of whether the information was encrypted or password-protected.
• California State University, Los Angeles
  Computer theft
  Names, address and Social Security numbers of more than 600 CSULA employees and former students were contained on two desktop computers and 12 laptops stolen from campus.
• Boston University
• ROTC Program
  Unauthorized disclosure
  6,675 ROTC students (406 from BU; the balance from other ROTC programs around the country) were affected when their records were inadvertently exposed on the Internet via a file-sharing program installed on a university computer.
• University of Massachusetts, Amherst
  Hacking
  Number of affected records unknown
  20 years of student records exposed in a data breach, which occurred last year between September 15 and October 27. Information includes names, Social Security numbers and some credit card information of current and former students who attended the university between 1982 and 2002.
• Bluegrass Community and Technical College, Lexington, KY
  Theft
  Little information is available, other than that personal information including Social Security numbers of 100 or fewer students was stolen from the college.

Information for this post was gathered from ESI (Education Security Incidents). For more information on data breaches at colleges and universities, visit www.adamdodge.com/esi/month/2009/08.

May has been a record-setting month for college and university data breaches so far in 2009. With a total of 177,487 exposed records from only three schools, May accounts for a big chunk of the total 414, 825 records reported lost so far this year, though it accounts for less than 10% of the 35 known data breaches.

NOTE: When reading the totals, it’s important to know that the actual number of data breaches and exposed records is like much higher; many data breaches go unreported, and among those that are reported many involve an unknown number of records. So far this year, six of the 35 reported data breaches involve an unknown number of records.

And with that caveat, ladies and gentlemen, we now induct the following institutions of higher learning into the Data Breach Hall of Shame:

• Ball State University

LOCATION: Muncie, Indiana
BREACH TYPE: Hacker/User error
NUMBER AFFECTED: 2,000 individuals
COMPROMISED DATA: Web accounts

• University of California; University Health Services Center

LOCATION: Berkeley, California
BREACH TYPE: Hacker
NUMBER AFFECTED: 160,000+ current and former students from UC Berkeley and Mills College
COMPROMISED DATA: Names, Social Security numbers, health insurance information, immunization records and patient/physician information

• Kapiolani Community College
  LOCATION: Honolulu, Hawaii
  BREACH TYPE: Hacker
  NUMBER AFFECTED: 15,487 current and former students
  COMPROMISED DATA: Names, addresses, phone numbers, birth dates, Social Security numbers

LifeLock provides identity theft protection to nearly 1.5 million Americans. Whether you’re a college student, a college applicant, a college graduate or the parent of any of these, you should visit LifeLock.com to learn more about their services. Enroll using the LifeLock promotion code DEFENSE to receive a discount.