Eight Ways Universities Fumbled Data Security

Ball security is essential to a football team's success. Similarly, data security is essential to a university's success because data security failures requires repurposing resources that could have been used to further the university's mission. 

Eight incidents in the past year highlight how simple data handling errors caused these universities to fumble data security. How could these incidents have been prevented?


Problem Emails

The Poly Post - Massive Data Leak

A Cal Poly employee sending an email containing advising information to 940 computer science students inadvertently attached a spreadsheet containing personal information for 4,557 other active students. Data included student ID numbers, grade point averages and other personal information. 

Atlanta Journal-Constitution - Georgia Tech mistakenly releases data about nearly 8,000 students

A Georgia Tech employee inadvertently attached a spreadsheet with personal information to students invited to a computing conference. The list of students included student ID numbers, grade point averages and other personal information. 

Crain's Chicago Business - DePaul data breach IDs hundreds of workers

A DePaul employee inadvertently exposed protected health information for more than 650 employees in a congratulatory email to wellness program participants. Rather than blind copying recipients, the email displayed the names and email addresses of employees who successfully completed the program.

azfamily.com - ASU accidently reveals email addresses of 4,000 students

Arizona State University notified 4,000 students that their email addresses "were accidently revealed" in a large data breach. The data breach occurred when a university office sent bulk emails about renewing health insurance coverage without masking the identities of the recipients.

The Arrow - Southeast department sends email violating student privacy

Southeast Missouri State disclosed that an email from one of its colleges leaked private information about students, faculty and staff to approximately 50 of its communication students. The personal information was included in three attached spreadsheet files.

Lost or Stolen Equipment

The Seattle Times - Seattle University laptop containing 2,000 Social Security numbers lost

Seattle University warned that the names and Social Security numbers of more than 2,000 people could be exposed after a university-issued laptop was lost. The unencrypted laptop had information about employees and their dependents enrolled in the university's benefit plan.

Lincoln Journal-Star - UNL offering identity protection after laptop with personal information stolen

Thieves made off with the laptop of a consultant who helps manage the University of Nebraska-Lincoln's employee retirement benefits. Data on the unencrypted laptop included Social Security numbers, financial account information and other personal data. 

The Seattle Times - WSU to pay up to $4.7 million for data theft involving 1.2 million people

A Washington State University hard drive containing personal information of more than a million people was stolen from a self-storage locker. Data on the drive included Social Security numbers and had been collected by a research center at the university over a 15-year period.

Accidents Waiting to Happen

I prepared the synopsis for each incident directly from the linked news reports. What common elements do you see in the incidents? Note how many times the reports used "inadvertently" or "accidently" to describe what happened. 

WSU has four policies designed to reduce the likelihood of accidently disclosing sensitive or confidential information. We'll highlight those policies next time.