A new report summarizing computer security incidents over the past year found that the number of losses and unauthorized disclosures of data increased markedly along with the number of colleges and universities affected. The most common incidents last year tended to involve "the release of information to unknown and/or unauthorized individuals," shifting the focus from hacker-style attacks to breaches involving information technology employees themselves -- whether acting knowingly or not.
The "Year in Review" report for 2007 by Educational Security Incidents, an online repository intended to collect data on security incidents in higher educational institutions, scoured online databases dedicated to campus security reporting, as well as news sources, to create a consolidated picture breaking down the number and types of breaches that occurred last year. The total number of incidents reported rose 67.5 percent to 139, and they affected 112 institutions, a 72.3 percent jump from 2006.
October's annual survey by the Campus Computing Project found that while problems resulting from computer viruses and spyware had plummeted over the previous two years, security incidents involving social networking sites (like Facebook) were increasing -- to 13.2 percent of campuses polled in 2007. Campus IT officials in the survey called network security the “single most important IT issue affecting my institution over the next two-three years,” although the percentage saying so decreased from 30 to 25.5 percent over the previous two years. The survey also found an increase in physical theft of computer hardware and a small but growing fraction of incidents involving intentional wrongdoing by IT employees.
In what it called a "disturbing addition," ESI similarly created a category for employee fraud, consisting of a single incident at Wayne State University. Over all, employees were in some way "responsible for a large number of incidents" -- 47 percent -- outnumbering outside hacker-style breaches by about 2 to 1.
Kenneth C. Green, director of the Campus Computing Project, said that it was important to categorize the types of incidents because trends can reveal increases in some areas and dramatic decreases in others. He also warned that the type of institution matters: "Large universities are bigger targets and have more activity than do smaller colleges," he said.
The types of data being released -- whether by accident or through fraud, breaches or impersonation -- also varies. Like last year, the most common type of data involved in such incidents was potentially public personal information such as names, addresses and birthdays, followed by Social Security numbers. (Some 1,085,708 numbers were stolen, lost or otherwise disclosed in 103 separate incidents last year, according to the ESI report.) For the first time, the report found that in a small number of cases, campuses lost network user names and passwords.
The biggest increase came in disclosures of "educational" data, such as grades, which were involved in 30 incidents in 2007 compared to only one in 2006.
The report was compiled by Adam Dodge, an assistant director for information security at Eastern Illinois University. Dodge originally turned a graduate research project into ESI, whose Web site states: "On college and university campuses, sometimes the free flow of information is unintentional." ESI is not affiliated with the university.