In 2012 we learned that university data breaches are a real and growing threat. In honor of this week’s bowl games we decided to unscientifically match two large university data breaches in a comparative discussion. With 2013 being the year of prevention, we hope that both teams walk away with good ideas on how to prevent such breaches in the future.
This year’s dBCS (data Breach Championship Series) Fiesta Bowl headed South in a showdown between Northwest Florida College and the University of North Carolina at Charlotte (UNC-Charlotte). These two worthy schools suffered significant data breaches of sensitive information. A play-by-play analysis reveals which school came out on top.
Northwest Florida State College kicked it off with a staggering 300,000 student and employee records lost between May and September. These records included personally identifiable information (PII), including social security numbers and bank routing numbers—information that sent a collective shudder around the stadium. Northwest Florida had possession of the ball for much of the game, from May to September, when hackers accessed a folder on the college’s main server multiple times. This is not the first data breach Northwest Florida suffered, and extra points go to the team for the exposure of routing numbers. With a possible 67 reports of identity theft, Northwest Florida has raised the bar for its opponent. In response, the college notified victims via letter and also set up a website that included information on how to place a fraud alert and links to help victims of identity theft.
UNC-Charlotte started off strong with a breach of 350,000 records of students and staff, 50K more than Northwest Florida. As with its opponent, the breached information included PII—social security numbers and “financial account information.” The breach occurred when a system misconfiguration and incorrect access settings allowed the information to be accessible from the Internet. While the general university system was exposed for “only” three months, the William States Lee College of Engineering was accessible for over a decade. Team strategy included notification and an informational website, as well as “enhanced” internal review procedures to track potential problems.
Wow, this was a close one. Both teams deserved penalties for their nonchalant defense to their respective data breaches. Notification letters and websites are little consolation to victims and potential victims. More proactive action, namely free credit monitoring and identity theft remediation services for actual victims, would have reassured the affected population and enhanced each school’s reputation. Preventive measures, such as annual risk assessments and strict encryption policies, would have reduced the impact or likelihood of each data breach. While the Northwest Florida incident caused possible identity theft, the winner of this year’s dCBS Fiesta Bowl was without a doubt UNC-Charlotte. A decade-long data breach is one for the record books.