It’s March Madness time of year again. (Seeing that my school’s men’s basketball team is really bad and won’t be playing again until next November, I’ll cheer on my default school, Marquette. You can probably guess why.)
It is also that time of the year when Application Security’s research arm, TeamSHATTER, reveals its annual Data Breach Final Four, which focuses on higher education and data security matters. I like TeamSHATTER’s approach to this topic – not only how it uses the popular tournament bracket to show how these schools are affected by data breaches, but also to highlight what a serious problem this is on college campuses across the country. Describing how the bracket is put together, TeamSHATTER explained on its blog:
Just like in previous years, the data breach madness “bracket” is determined solely by the number of reported breaches in 2012. Every college or university that reported a breach was seeded (ranked) based on the number of records compromised. From there, the institutions went head to head. The larger the breach, the further they went in the tournament, until the winner (the institution with the most records compromised in 2012) is crowned. You can check out last year’s blog post and corresponding bracket here.
The good news is that there were fewer schools suffering breaches last year (in fact, the bracket couldn’t be properly rounded out to 64 “teams”). The bad news, of course, is that schools are still dealing with breaches. Thom VanHorn, Vice President, Marketing, AppSecInc, explains why that might be:
University environments are susceptible to breaches due to factors like easy-to-guess passwords and outdated infrastructures and as a result put students, alumni and employees at risk. Often times, our nation’s colleges and universities can be a playground for young hackers, testing their skills.
Not to mention, college campuses are BYOD madness – students own and use their own devices to access the school’s network, as do professors and staff. Add to that the incidents where professors misplace or report stolen laptops that stored student records decades old. Remember, for many colleges, until recently, Social Security numbers were used as student and faculty ID numbers, and that data is still sitting in those old records, as well as stored on the campus network somewhere. Colleges are truly a treasure trove of data, a serious cybercriminal’s dream hit.
So the university that had the worst breach of 2012? That unfortunate distinction goes to the University of Nebraska, which reported a breach of 654,000 records last May. The other “Final Four” teams were the University of North Carolina (350,000), Arizona State University (300,000) and Northwest Florida State College (279,000).
I’m thankful that this is one bracket that my favorite school missed out on this year. This is one of those times when it is good to be a loser.