Breach Bracket: The “March Madness” Tournament Every School Is Trying To Avoid

Breach Bracket: The “March Madness” Tournament Every School Is Trying To Avoid

Call it “March Madness” of a more sinister sort.

The security researchers over at AppSecInc's TeamSHATTER — a company that provides database security, risk and compliance solutions — have released their annual data breach madness “bracket,” highlighting which educational institutions have endured data breaches over the past 12 months. The team found that although the number of reported breaches (51) in 2012 was relatively low compared to what they've seen in previous years, the number of compromised records was at an all-time high (1,977,412), with records stolen in 2012 more than three times that of 2011 (478,490).

Security Bistro spoke to Alex Rothacker, Director of Security Research for TeamSHATTER, who said that while the number of breaches year-to-year has remained relatively consistent, a change in how records are maintained and collected has led to this record number of compromised records.

“Like all organizations, higher ed organizations collect more and more information in electronic form and I expect to see an increase in the total size of the breaches for awhile,” he said.

Educational institutions, said Rothacker, are appealing targets for a variety of reasons.

“[They have] lots of Personal Identifiable Information (PII), usually for the whole student and teaching body, as well as alumni information and sometimes parent info. These are huge datasets (sic) with lots of great info for identity thieves,” he said. “And due to some of the unique circumstances in higher ed, like students being part of the administrative teams, an open and research friendly atmosphere, lots of access points into the network, higher ed is an easy target compared to large corporations with large IT and security budgets.”

According to the latest U.S. Cost of a data breach study, conducted by the Ponemon Institute, the average cost of any sort of data breach was significant: $840,000 for a malicious breach (nearly twice the $470,000 cost of a non-malicious breach).

Despite the costs, Rothacker doesn't necessarily believe institutions are more prepared.

“Is there really heightened awareness? Too many people still don’t understand basic computer safety and with no malicious intent make mistakes that allow hackers entry into systems,” he said. “The high turnover at campuses with new students coming in every year poses a particular challenge to IT security in higher ed.”

So with constantly new populations as students come and and growing amounts of sensitive data, Rothacker said that universities can do a few things to make sure they don't appear on this list next year.

“Better separation of networks, trained and skilled IT security staff and a heightened focus on data-security will be the only way to fix these problems,” said Rothacker. “Currently, it is very easy for any organization to buy themselves out of facing the consequences of breaches by simply buying credit monitoring at wholesale prices, instead of investing into real security. At the same time, colleges with IT programs have the unique opportunity to create new security curricula and thus train their own talent.”

So who “won?”

This year's Final Four (and the number of records breached): The University of North Carolina at Charlotte (350,000), Arizona State University (300,000) and Northwest Florida State College (279,000). Taking home the crown, The University of Nebraska, which endured a breach of 654,000 on May 25, 2012.

No shining moments here.