Student life, from loans and job applications to Facebook posts and Amazon purchases, has increasingly moved online. But with the rise of the Internet, a new type of crime has emerged. Once a a problem limited to governments and corporations, cybercrime targeting sensitive data has quickly become one of the most pervasive dangers to the American college student. These digital threats, both external and internal, jeopardize the integrity and security of personal information for tens of thousands of past, present, and future UR students.
Institutions of higher learning in United States are quickly becoming prime targets for cybercriminals around the world. While not able to release exact numbers, UR Chief Information Security Officer Julie Myers highlighted these concerns.
“An American university thwarts an average of 12 million daily attacks,” Myers said. “And our experience is typical.”
The Social Security Numbers, financial information, and other personal data of tens of thousands of students stored on university servers are no doubt enticing fodder for criminals. In an effort to combat the increasing threat, the University has taken several steps to improve the security of sensitive data.
“Over the past five years, the University has made significant investments in building a foundational information security program while mitigating the areas of highest risk.,” Myers said.
“We have not had a reportable incident for a breach of personal identifiable information for faculty, staff, students or alumni since January 2009,” Myers continued.
Despite these successes, students are still at risk. While UR has generally thwarted outside menace to the university network, internal threats remain to be of serious concern. The mistakes and deliberate actions of individuals within the University are responsible for a large portion of the cybercrimes and security breaches that do succeed.
Email phishing, the practice of gathering credit card numbers, login credentials, and other information through false pretenses, remains a major issue at UR. Despite ongoing education, awareness campaigns, and warnings of ongoing phishing targeting campus emails, many in the UR community still fall prey to the schemes.
“Personal information of faculty, staff, students and alumni has periodically been compromised due to individuals providing information via email phishing schemes,” Myers said. The information leaked through these breaches affect not only individuals targeted, but also those connected to the victim.
One victim, a teaching assistant who requested to remain anonymous, said, “…I was locked out of my account days before a test…I was not able to respond to questions of students.”
While the damage in this particular situation was relatively minimal, it is easy to imagine more severe consequences as the result of phishing.
Honest mistakes may account for many instances of internal security breaches; however, some threats are the result of purposeful action. The reasons behind intentional security breaches by individuals inside UR may be less nefarious in nature, but unauthorized access of personal information by those with special privileges remain a serious cause for concern.
Many undergraduate students, as a function of jobs or roles they hold on campus, have access to a significant amount of sensitive personal information stored on the University network.
“Assess is granted to systems on a philosophy of ‘Least Privileged’ which says each individual must be able to access only the information and resources that are necessary for them to do their job,” Myers said.
In regards to the level of access certain students may have. The access some students have is often broad and it is not uncommon for students to misuse this power, breaching the integrity of secure data.
A student employee in the IT center in Rush Rhees said, “…sometimes guys browse this database just because they’re bored…or just interested in someone.” The student, who wished to remain anonymous due to the sensitive nature of this topic, indicated that a large number of undergraduate IT workers have access to a significant amount of sensitive information on students, staff, and faculty from this database accessible by IT computers in the IT center.
When questioned for more details about student’s access to the database, Myers said, “To help ensure the security of our faculty, staff, students and alumni, I am not able to answer this question with the detail you would like.”
The improper access of sensitive personal information and data, however, is not solely limited to students in the IT department. Student employees who work with the Office of Undergraduate Admissions, Alumni and Advancement Center, Gwen M. Greene Career and Internship Center, and other UR departments confirm that they have access to a significant amount of personal information on prospective, current, and alumni at UR. Although the purpose behind many of these instances of inappropriate access are relatively benign compared to the aims of outside cybercriminals, the fact remains that there is recurring unauthorized access of sensitive information throughout the network. Due to the sensitive nature of the topic, an accurate estimate on prevalence of these breaches to security was not released by UR. The fact that some individuals have unfettered, and often unmonitored access to large amounts of personal information, however, is certain.
While activity and browsing in digital databases such as the EPIC medical records system at the Medical Center is closely scrutinized through access logs, no information was released by UR on the presence of such measures in place for databases on the River Campus. According to Myers, the level of monitoring IT conducts on internal network activity is generally limited to observation of bandwidth usage, the amount of data uploaded and downloaded by a specific user.
“The University only monitors user behavior as it relates to the performance of the network and potential malicious activity,” Myers said. Most investigations by IT into suspicious network activity are launched upon discovery of abnormally large amounts of bandwidth being consumed by users on a regular basis. When these discoveries are made, Myers explained that “IT Security works with our Network team to understand who is consuming the bandwidth and an initial email is sent to the individual asking them to refrain from such behavior. If the behavior continues, an escalation procedure is followed.”
While some students express great concerns for privacy and their personal information, others readily accept these threats as a reality of the times.
“My personal information is already available to various people; the school has my social security number, and retailers have my credit card number. Therefore, my personal information is not really very ‘personal’ anymore” junior Shruti Nayar said. “The thing is, if someone really put the time and effort into stealing someone’s information, they’d be able to. I’ll worry if something happens — there’s no point stressing about it before that.”
Whatever the sentiment, there is no doubt that the issue cyber security will under attack at UR for years to come.
Shinseki is a member of the class of 2015.