From birth dates and other identifiers to payment information, education institutions need to handle a large amount of personal data. But what happens when that data is intercepted by hackers? Two entities on two different continents — the University of California system and the Amman, Jordan-based nonprofit Edraak — are each facing that question. In both cases, the consequences for the organizations may be more severe because they were trusted with keeping student data private.
An issue of student privacy
The UC system first announced that a data breach had occurred in late March. The actual breach did not occur on a UC server, but rather on the file transfer service of a third-party vendor called Accellion. Notably, the impacted product, the File Transfer Appliance, is over 20 years old.
It is currently unclear exactly how much data was stolen from the UC system. Some of the data believed to be compromised include names, addresses, birth dates, phone numbers, Social Security numbers and some other bank account information. In a press release on the breach, the UC system warned its students to be on the lookout for "threatening mass emails" asking for a ransom payment and offered additional resources to prevent possible identity theft.
While the eventual policy ramifications of the UC breach remain to be seen, some changes could be possible. In a piece published on The Hill, William M. Evers, a senior fellow at the Center on Educational Excellence, argued that the fallout of the breach should include changes to data privacy exceptions that education institutions currently have in place under Section 15 of California Proposition 24. Evers also pointed to several other data breaches and ransomware attacks on other school systems.
The UC system wasn't the only Accellion customer impacted by the breach on the File Transfer Appliance. Other victims in the education sector included the Universities of Colorado, Miami and Maryland. Non-education victims included several major law firms, the Reserve Bank of New Zealand, Singtel and the Australian Securities and Investments Commission.
A leak in Jordan
On the other side of the world from California, the online education nonprofit Edraak is also facing criticism for the way it handled a leak of student information, according to TechCrunch.
The issue was first discovered in February by TurgenSec, a U.K.-based cybersecurity firm that discloses security incidents. One of Edraak's cloud storage servers had been left unprotected. While Edraak confirmed that they had seen TurgenSec's warning about the leak, they continued to leave the server open for another two months after becoming aware of the issue. Finally, the issue was resolved after TechCrunch reached out to the nonprofit. Some of the information left in a compromised position included student names, birth years, genders, email addresses and even some grades.
In a response to the issue, Edraak chief executive Sherif Halawa released a statement clarifying that the server itself had been made public intentionally but that the sensitive information was not supposed to be in it.
"[the server was] meant to be publicly accessible, and to host public course content assets, such as course images, videos, and educational files… Due to an unfortunate configuration bug, however, some academic data and student information exports were accidentally placed in the bucket."
Edraak currently plans to notify potentially affected students about the breach.
Edraak was founded in 2013 by Queen Rania of Jordan with the stated goal of promoting education initiatives across the Middle East. Notably, the nonprofit works with several high-profile partners in the education sector, including the British Council and an education consortium that includes Harvard, MIT and Stanford.
Cybersecurity you can count on
Even if you're organization doesn't have to handle large amounts of student personal data, your information is crucial and worthy of protection. One of the easiest and most important ways to shore up your network is by ensuring all of your applications are protected by modern, secure identity frameworks. This can include multi-factor authentication and some vendors are moving to integrate bio-recognition such as fingerprint readers.