Skip Links

Are colleges and universities at greater risk of data breaches?

Higher education data at risk, security vendor says

By , Network World
September 15, 2010 12:16 PM ET

Network World - A database security vendor says colleges and universities need to do more to secure their databases against break-ins.

10 of the worst moments in network security history

Application Security, which uses the name AppSec, reviewed data breaches in higher education, drawing from a variety of published sources. The company, based in New York City, specializes in database security and has two main products: DbProtect, an application for database security, risk and compliance; and AppDetectivePro, which automatically discovers all database applications on a company's network and evaluates their security.

The data in its report, "An Examination of Data Breaches at Higher Education Institutions," highlights increasing data-loss incidents at colleges and universities. But it doesn't clearly distinguish between the business market as a whole and the higher education sub-market, and it does little to put the higher education breaches into context.

Back-to-school IT projects reshape campus life

For example, the AppSec document cites data from Privacy Rights Clearinghouse to assert that "higher education institutions have experienced a substantially large number of data breaches – nearly 160 breaches and more than 2.3 million records breached since 2008."

But using the same PRC sortable database, the "Chronology of Data Breaches", it turns out that other segments, though indeed with a lower total number of data breaches for the same period (ranging from the 60s to mid-90s), have exposed more records: more than 3 million for government and military, and 39 million for financial services companies, depending on the types of breaches considered. Healthcare, with at least roughly 80 breaches, exposed 1.5 million records.

AppSec notes, correctly, that higher ed is on pace to report more breaches this year than last year. But according to the PRC database, so are financial services, retail, government/military, and healthcare, all of which have a larger number of year-to-date security incidents than does education.

Turning to another source,, AppSec pulls other data that says roughly the same thing for higher education: 89 breaches affecting "in excess of one million records" in 18 months from January 2009 to August 2010. DatalossDB ranks higher ed as No.2 among markets experiencing database breaches, according to AppSec. But it's not clear exactly where that data comes from. A page of statistics, in the form of pie charts, shows education with 29% of reported "incidents" (of all types), a general "Biz" category with 49%, government with 18%, and healthcare with 13%.

According to the AppSec document, where "many of these breaches occurred, the institutions had passed PCI compliance audits. Compliance does not equal security." But the assertion would only be meaningful if college and university security staff believe that compliance did equal security. AppSec doesn't offer evidence of this, nor any comparative data to show whether breaches are more or less common in other industry segments that are, or are not, PCI-compliant.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News