Florida College Breach Exposes Education Sector Security Perils

Anthony Freed
By | October 11, 2012

Posted in: Network Security Trends

In a recently discovered network intrusion that may have lasted for several months, the personal information of several thousand Florida college employees, and potentially hundreds of thousands of students, are thought to have been exposed in what officials described as "a professional, coordinated attack by one or more hackers."

A preliminary investigation has revealed that from approximately May 21 through September 24, 2012,  files located on a main server at Northwest Florida State College were illegally accessed, compromising the names, social security numbers, dates of birth, and direct deposit bank account information of approximately 2,200 past and present employees who worked at the school since 2002.

At least 50 employees are known to have already been the victim of identity theft - including college president Ty J. Handy - by way of personal loans taken out by the attackers through PayDayMax, Inc. and Discount Advance Loans, as well as through a number of fraudulent Home Depot credit card accounts having been opened in the employee's names.

"We believe the hackers have to do specific work to pull together enough information about an individual to steal their identity. We do not believe the hackers have accessed this information about all 2,200 individuals but this potential does exist," a memo from Handy explained.

No instances of identity theft regarding students have yet been reported, and officials are still trying to determine exactly which students may have been exposed in the breach. The school is planning on notifying those at risk within the state-mandated 45 day notification period. Officials also believe that as many as several dozen service providers could have had sensitive financial information compromised during the breach.

"We believe student information including public directory information as well as birth date and social security number may have been accessed, however, we have no evidence at this point that this information was taken. We believe a few vendors (less than 40) with whom we do electronic funds transfers for bill payments may also have had account information taken but, again, we have no concrete evidence this information was taken," Handy continued.

Handy stated that the "access pathway used to invade our main server has been sealed," that the Okaloosa County Sheriff’s Cybercrimes Unit is assisting in the investigation, and that a third-party security consultant was brought in to "provide an additional level of comfort that no additional 'soft spots' exist in our IT security practices."

The breach highlights the fact that the majority of schools are falling behind in critical security tasks like assessments, remediation, training, updating policies and procedures, and regulatory compliance.

The problem stems from lack of funding. Year after year of steep budget cuts in the education sector have left schools more exposed than ever to information security threats as the pace of hardware and software upgrades takes priority over comprehensive vulnerability analysis, and the result is that many data loss events probably go completely unnoticed for long periods of time.

Higher education students are also a particularly vulnerable population when it comes to criminal exploitation. At the beginning of the school term, students typically receive thousands of dollars in deposits to their accounts, making them an attractive target for cyber-thieves.

"I regret that this situation has occurred. It is most unfortunate. I applaud the quick response and hard work of the IT department to identify and close the access point and for their ongoing efforts to ferret out what and who was compromised once they became aware of the infiltration," Handy stated.

Officials are recommending those affected in the breach initiate 90 day fraud alert watches with all three credit reporting agencies, as well as monitoring their own accounts regularly.

"I recognize that this is a significant hassle for those whose information is used to commit Identity Theft. I was one of the first seven or eight to be hit personally and I have spent several hours on the phone working with my bank and others to protect myself. It is not an enjoyable experience and for that I apologize," Handy said.

You May Also Be Interested In: