Add Butler University to Breach ListLatest Incident Highlights Breach Vulnerabilities in Academia
A data breach affecting 163,000 students, faculty, staff and alumni at Butler University in Indianapolis, Ind., offers just the latest example of the risks facing educational institutions, which are seen as easy targets by cyber-attackers.
On May 28, Butler University was contacted by California law enforcement and alerted to an investigation involving a suspect who had in his possession a flash drive containing the personal information of certain Butler University employees, according to the notification letter being sent out to impacted individuals. The suspect has been arrested, says Marc Allan, a spokesperson for the university.
The investigation revealed that the personal information stored on the flash drive could have originated from a cyber-attack into Butler University's network between November 2013 and May 2014, the university says. Third-party computer forensics experts were brought in to confirm the breach.
"Following a detailed forensic analysis, which was completed in partnership with third-party experts, we determined that approximately 163,000 unique individuals had confidential personal information that was accessible to the hackers," says Matt Mindrum, vice president for marketing and communications at Butler University.
While the forensics investigation is still ongoing, the university has determined that information compromised during the unauthorized intrusion includes names, dates of birth, Social Security numbers and bank account information. Those affected by the breach are being offered one year of free credit monitoring services, the university says.
Academia an 'Easy Target'
Attacks against educational institutions continue because they're seen as an "easy target" for cyber-attackers, says Tyler Shields, a security analyst at Forrester Research.
"In general, academic institutions operate in a culture of open communication and collaboration among the different faculty, staff and research groups in the university," says Shields, who previously worked for Rochester Institute of Technology in New York. "This culture of openness makes it very difficult for the IT groups to erect security controls and still have the same user experience with unencumbered access to content and data."
The lax security, coupled with cutting-edge academic research and content, makes educational institutions a ripe target for attackers. "Additionally, the user base is highly mobile and working from every location you can imagine," Shields says. "Securing this mobility adds yet another layer of complexity to an already difficult process."
Colleges and universities, like other organizations, need to adopt a defense-in-depth approach, says privacy and security attorney Ronald Raether of Faruki Ireland and Cox PLL (see: University Breaches: A Continuing Trend). That includes data segregation, improving network architecture and increasing the hardening and patching of systems.
Another key component to securing academic institutions is to compartmentalize the content based on a risk profile, says Shields. "Start with the data, rate the risk, rate the chances of compromise and apply security controls in an appropriate quantity to mitigate this risk."