Posted on | March 13, 2008 | add a comment
So Harvard got hacked, losing the records of 10,000 applicants to it’s Graduate School of Arts and Sciences. The Ivy League school certainly is not alone. Harvard became the 16th school so far in 2008 to report data lost, according to a sort I did of attrition.org’s terrific data loss database, an open-source gem.
Harvard’s is the 257th instance of an educational institution reporting lost records since 2005. Total school records lost the past 3 years, 2.5 months: 5.3 million. Last year alone, 86 schools, mostly colleges, reported missing data for 915,754 individuals. By mid-March 2007, data thieves had hit 21 schools, so the 2008 pace appears to have slackened a tiny bit.
All told, some 329 schools, government agencies and health facilities reported losing more than 162 million individual’s records in 2007, triple the amount reported in 2006. Could it be the bad guys have more stolen names, birthdates and Social Security numbers than they can possibly use in scams?
However you slice it, Harvard makes a good target for data thieves operating in a criminal market that would be sensitive to the fact that Harvard graduates tend to become high income earners, with big credit limits, 5 or 10 years after graduation. Data does store nicely.
An investigation by Harvard into the hack led the university to shut down the site from February 17-21 and to take measures to improve network security. “Hackers target universities because of the large number of users on their systems and the perceived potential to find security holes,†Bill Nolan, an expert in the legal issues surrounding data breaches and a partner in the law firm of Squire, Sanders & Dempsey told me. “Universities face the same challenges as companies. The volume of information and the ability to transmit it relatively easily in electronic form has transformed much faster than organizations’ ability to manage that information.â€Â
Universities make attractive targets, Nolan says, because they support a large number of diverse users, such as students, facility and researchers; authority is spread out more so than in private corporations; and data often is stored in multiple formats and systems.
Nolan makes a valid point that the widespread adoption of state data loss disclosure laws, pioneered by California, contributes to the rising metrics. But it is also true that the cybercrime marketplace for data has become every bit as efficiently organized as Amazon and eBay.
Comments
