VCU Crowned Champion in Higher Ed Data Breach Madness

Virginia Commonwealth University reported the largest data breach amongst higher education institutions in the United States in 2011, according to a recent analysis by Application Security’s research division TeamSHATTER.

The team gathered information on publicly reported data breaches reported by colleges and universities around the country in 2011 and ranked them in order of number of records breached to create March Madness-style bracket. Despite the fact that data breaches dominated headlines in 2011, higher education institutions fared better in 2011 than in previous years, TeamSHATTER found.

There was a dramatic decrease in both the number of higher education institutions and the volume of records that were compromised, according to the analysis. In 2011, 48 universities reported being breached, an improvement from the 57 breached in 2010. The biggest change is in the number of records breach, plummeting 70 percent in 2011 to 478,490 records, compared to 2010’s 1.7 million. In fact, 2011’s figures are at its lowest point since 2005, when Privacy Rights Clearinghouse began collecting the data.

While it was very encouraging to see the record-lows, TeamSHATTER advised IT teams higher education institutions "to proceed with very cautious optimism."

It’s quite possible that the drop in the number of breaches and volume of compromised records reflected the steps IT teams at universities have taken recently to protect their infrastructure, said Alex Rothacker, director of security research at TeamSHATTER.

"In total almost half a million of records were compromised, so there is still a long road ahead in getting the problem under control," said Rothacker.

There’s also a supply-and-demand problem, as the street value for stolen data has done down in the criminal underground, according to Josh Shaul, CTO of Application Security. The volume of data stolen over the past few years have created a glut, and criminals are seeing less demand for personal data.

The "Final Four" Top University Breaches of 2011
The champion, as identified in the "2011 Higher Education Data Breach Madness" list, was Virginia Commonwealth University. VCU was the only institution in 2011 to report a data breach in which more than 100,000 records were compromised, compared to three in 2010. Last year’s champion, Ohio State University, had lost 750,000 records.

In November, VCU reported personally identifiable information, including Social Security numbers, names, and school and personal email addresses for 176,000 students and employees had been exposed after a malicious worm had infected one of its servers. In some cases, dates of birth, job titles and other contact information were also illegally accessed, according to VCU.

The "final four," to continue the March Madness metaphor, included University of Wisconsin Milwaukee, Yale University and the University of South Carolina.  University of Wisconsin notified 79,000 students and employees in August that a database containing names and Social Security numbers had been compromised. During the same month, Yale notified 43,000 students and alumni that due to a configuration error, their names and Social Security numbers had been accessible via a Google search over a 10-month period. The University of South Carolina reported a breach affecting 31,000 faculty, staff, retirees and students last March.

While VCU and University of Wisconsin servers were compromised by malware, the incidents at Yale and USC were the result of human error.

While it is too soon to predict what 2012 would look like, Rothacker does not believe there is a downward trend for data breaches among higher education institutions. Rather, 2011 was a blip, he said. Despite the fact it’s only March, TeamSHATTER estimated that the number of breached records in 2012 have already exceeded the 2011 total. Arizona State University reported a breach of 300,000 records in January, and there have been other significant breaches at the City College of San Francisco, University of North Carolina Charlotte and Central Connecticut State University.

Attackers are also “busy elsewhere” as they join groups like Anonymous, which go after “much more interesting targets” than university servers, Shaul said.