Some Colleges Falling Short in Security of Computers

ARTICLE TOOLS Printer-Friendly Format Most E-Mailed Articles Reprints & Permissions Ivory Towers, Leaky Networks Amid rising concerns over the security of personal data, several colleges and universities have reported the loss or theft of confidential information from their networks. 1. It's a Flat World, After All 2. A Lucrative Brand of Tutoring Grows Unchecked 3. Giving by Foundations Hits Record $32.4 Billion in '04 4. Op-Ed Columnist: Curveball the Goofball 5. Editorial Observer: How to Humiliate Friends, One-Up Rivals and Pick Just the Wrong Gift Go to Complete List

f the computer age is continually testing how well institutions protect personal information, the nation's colleges and universities may be earning a failing grade.

Last Monday, administrators at the University of California, Berkeley, acknowledged that a computer laptop containing the names and Social Security numbers of nearly 100,000 people - mostly graduate school applicants - had been stolen. Just three days earlier, Northwestern University reported that hackers who broke into computers at the Kellogg School of Management there may have had access to information on more than 21,000 students, faculty and alumni. And one week before that, officials at California State University, Chico, announced a breach that may have exposed personal information on 59,000 current, former and prospective students.

There is no evidence that any of the compromised information has been used to commit fraud. But at a time of rising concerns over breaches at commercial data warehouses like ChoicePoint and LexisNexis, these incidents seem to highlight the particular vulnerabilities of modern universities, which are heavily networked, widely accessible and brimming with sensitive data on millions of people.

Data collected by the Office of Privacy Protection in California, for example, showed that universities and colleges accounted for about 28 percent of all security breaches in that state since 2003 - more than any other group, including financial institutions.

"Universities are built on the free flow of information and ideas," said Stanton S. Gatewood, the chief information security officer at the University of Georgia, which is still investigating a hacking incident there last year that may have exposed records on some 20,000 people.

"They were never meant to be closed, controlled entities. They need that exchange and flow of information, so they built their networks that way."

In many cases, Mr. Gatewood said, that free flow has translated into a highly decentralized system that has traditionally granted each division within a university a fair amount of autonomy to set up, alter and otherwise maintain its own fleet of networked computers. Various servers that handle mail, Web traffic and classroom activities - "they're all out in the colleges within the university system," Mr. Gatewood explained, "and they don't necessarily report to the central I.T. infrastructure."

Throw in aging equipment, an entrenched sense that information should be as free-flowing as possible, and a long-standing reliance on Social Security numbers as the primary means of identifying and tracking transient populations, and the heightened vulnerabilities of universities become apparent.

"We sometimes battle networks and mainframes in place since the 1960's," said Mr. Gatewood, "and mind-sets in place even longer."

For years, the Social Security number served as the default identifier for students, faculty and staff at nearly every university and college. It was printed on identification cards, posted on bulletin boards along with grades, and used to link bits of information - spread across dozens of networked databases - on each individual.

A handful of states - Wisconsin, California, Arizona, New York and West Virginia - now ban or limit the use of Social Security numbers in this way, according to a compilation of state and federal laws by the privacy advocate Robert Ellis Smith. And many universities have already abandoned or are in the process of moving away from using Social Security numbers as the primary means of identifying students.

But a 2002 survey by the American Association of Collegiate Registrars and Admissions Officers indicated that at least half were still using it as the primary identifier for students in their databases. And because the number has been used to link so many records across so many different databases in so many different departments for so long, abandoning it quickly is nearly impossible.

"It's complicated," said Virginia Rezmierski, the assistant to the vice provost for information technology at the Ford School of Public Policy at the University of Michigan. "We started a long time ago, and gave the university seven years to complete the process."

The University of Michigan essentially completed a migration to randomly generated identifier numbers in 2003. But Professor Rezmierski points out that myriad entities both inside and outside the university still use Social Security numbers, forcing universities to continue to handle them. Most of the national testing agencies, for instance, still use Social Security numbers to identify the scores of incoming students, Professor Rezmierski said.

Another problem, according to Jonathan Bingham, the president of Intrusic, a company that develops tools designed to uncover security breaches, is that universities have tended to put too much emphasis on preventing attacks from worms and viruses and too little on capturing troublemakers who quietly stroll through their databases.

The leaking of names and Social Security numbers from all these universities was not the result of noisy, destructive attacks, Mr. Bingham pointed out. "These are all problems that have nothing to do with that," he said. Rather, "someone's been able to get into the network that doesn't want to be detected."

Of course, not all universities are equally vulnerable, and some are more adept at protecting their data.

"Many of the better universities have better security in place than some corporations," said Eugene H. Spafford, the executive director of the Center for Education and Research in Information Assurance and Security at Purdue University. And because federal laws governing the handling of student data - specifically the Family Educational Rights and Privacy Act of 1974 - have been in place for longer than many other privacy statutes, Mr. Spafford said, data security "has been a concern at universities for some time."

And yet it appears that, on the whole, schools remain comparatively low-hanging fruit for hackers and thieves.

"I think it has shaken people up," said Professor Rezmierski of the University of Michigan, who is conducting a study of computer-based incidents at colleges and universities across the country.

"Often it takes these kinds of incidents to get people to pay attention."

Home Delivery of The Times from $2.90/week - Act Now!