College campuses often targets of Internet hackers, officials say
In August, the sensitive information of thousands of patients at Stanford University Hospital in California was illegally posted on the Internet, putting more than 20,000 people at risk of identity theft and misuse.
More than a month after the breach, officials at the Ivy hospital still are trying to figure out just how Stanford’s IT system—which has been praised for security at the highest level— failed.
At University of Michigan and Eastern Michigan University —the gatekeepers of sensitive information for tens of thousands students, patients, faculty and staff— the fear of a large-scale security breach is ever present.
“This is what every major institution doesn’t want reported about them,” U-M IT Communications Director Alan Levy said of the Stanford breach.
Both universities have dozens of people on staff and several protections in place to limit hacking, but despite their efforts, slip-ups are made and, from time to time, breaches still happen.
“Big institutions run very large data systems with very sensitive data. You don’t want people hacking into your system,” Levy said “It’s a nightmare. It’s very, very costly both reputation-wise as well as in terms of dollar value.”
Last academic year, EMU was twice hit by hackers. In March, two student employees obtained student information, including Social Security numbers and dates of birth, and possibly provided it to outsiders.
Unlike most information security breaches, the incident was “old-school theft,” according to Carl Powell, EMU’s chief information officer.
“It was just old-school grab papers and write things down,” Powell said.
In September 2010, a computer server was hacked, possibly exposing the online banking log-ins and personal identification numbers for some employees.
The server did not store student information, Powell said.
U-M also has been victim to breaches, experiencing three personal information thefts in the past five years. Two were the traditional grab-and-run incidents, and one was an electronic hacking.
In June 2006, documents that were supposed to have been stored digitally and then shredded were stolen from a storage room. The papers contained the personal information of credit union members and were used to perpetrate identity theft.
In July 2007, university databases were hacked and names, addresses, Social Security numbers and birthdates of students were exposed. Less than three months later, tapes containing names, addresses and Social Security numbers were stolen from U-M’s school of nursing.
“There are certainly attempts to hack into the university system,” Levy explained. “But there’s a pretty significant amount of energy put forward to try to stay one step ahead of the bad guys.”
Both EMU and U-M have teams that monitor false and unsuccessful log in attempts. Additionally, both schools heavily restrict access to sensitive files.
“We have people who find holes in your system so you can plug them up,” Levy said. “Serious incidents are relatively infrequent.”
For students living on campus, the university offers free computer anti-virus programs. Those programs are preventative on two prongs, Levy says.
“We don’t want your computer to be infected, and we don’t want your computer to then infect a large system,” Levy said. “We are both looking out for the interest of the individual and the university.”
Large-scale breaches aren’t the only concern of university officials.
According to Powell and Levy, students often fall victim to Internet scam artists. One common scam is called phishing, which is what happens when students receive an email asking for personal information from someone posing as an institution or business.
“They send a message that looks like it came from your bank or a credit union or from an IT department,” Levy said. “They tell you to do something that you should never do.”
Such emails often send you to a website that requests a password or personal information update. When the sensitive information is entered, it is taken by the hacker and is usually used in a damaging way.
Powell remembers when a colleague from another university fell prey to a scam artist posing as her bank.
“They basically said 'We found a fraud on your account, please click here to log onto your account and verify you banking identity,'” Powell recalled. The co-worker fell into the trap, entered her personal information and lost thousands of dollars, Powell said.
“Effectively what she just did is surrender all her banking credentials to someone,” Powell said. “Once you give people your bank account information, there’s no protection. If someone wipes out your bank account, its like taking cash out of your wallet.”
Levy says that while U-M has a sophisticated spam filter for the university email system, unwanted scams slip through the filter from time to time. He said he gets about three reports of phishing attempts a day. Each year, at least a handful of students fall prey to the scam, he said.
“We used to get this all the time, and now it's much less common because of the filter, but the filter doesn’t catch everything,” Levy said.
Powell said that EMU is seeing a specialized kind of email scam, which he calls spear-phishing. Some scammers have moved from using generic bank identities to posing as EMU staff. In those e-mails, the scam artists poses as an university administrator and asks for sensitive information.
“They tend to laser in a little bit more on their audience, which tends to get better responses,” Powell said.
But hackers aren’t always unknown individuals operating from faraway places.
Levy says that in addition to phishing, he’s seen students’ personal accounts hacked by former friends or significant others who were once entrusted with sensitive passwords.
“We’ve had some examples where an ex-boyfriend still had access to his ex-girlfriend’s email and used that access in very inappropriate ways that were harassing and threatening,” Levy said.
“There have been several examples of this over the years,” Levy continued, adding that some cases have led to criminal charges.