Indiana's Butler University recently began notifying 163,000 students, alumni, applicants, faculty and staff that their personal information may have been accessed by hackers.
On May 28, 2014, police in California notified the university that a flash drive containing Butler employees' personal information had been found in a suspect's possession during an identity theft investigation.
"Upon learning of this, Butler University immediately notified the affected employees and launched an internal investigation," university president Jim Danko explained in the notification letter. "This investigation revealed that this personal information could have originated from unauthorized hacking into Butler University's computer network between November 2013 and May 2014."
Butler then retained third-party forensic experts to determine the full extent of the breach. Those experts determined that 163,000 people's names, birthdates, Social Security numbers and bank account information were also accessible to the hackers between November 2013 and May 2014.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
All those affected are being offered a free one-year membership in Experian's ProtectMyID Alert service.
Gene Meltser, technical director at Neohapsis Labs, said by email that the fact that the breach went undetected for long clearly indicates that Butler needs to evaluate and improve its information security program.
"[A]ll expected security controls should have been in place to prevent this, including authorization, etc), processes (controlled access to sensitive data end environment, ongoing testing of security controls) and personnel (screening, training, awareness, etc.)," he said.
As Rook Security CEO J.J. Thompson told CSO Online, this is just one of many recent examples of educational institutions struggling to protect personally identifiable information. In just the past few months, significant breaches were discovered at Arkansas State University, Auburn University, the North Dakota University System, the University of North Carolina, and the University of Wisconsin, among others.
"These breaches are just the tip of the iceberg," Thompson said. "In other higher education incidents we have been involved with, it is common for us to find additional compromises that have gone on undetected for years."
Thompson listed three steps colleges and universities can take to prevent breaches like this: Identify where sensitive data is being stored, confirm that architectures to prevent and detect breaches are designed appropriately, and ensure that existing controls can do what they are designed to do.