Several recent data breaches and leaks involving the personal information of university students have shed light on the importance of safeguarding the reams of personally identifiable information (PII) young adults are asked to submit to large institutions of higher education — sometimes many times over, for those in the process of applying to multiple universities or scholarships. Such students and their parents or guardians often submit data to large clearinghouses for the purpose of efficiently submitting applications, making such institutions obvious targets for anyone seeking to find and exploit information.
Other times, it's simply a local school district that's the target. Institutions that keep large volumes exposed to the internet will do well to think critically about best practices for securing that data with reliable tools.
SmarterSelect data leak
In September 2021, an American company called SmarterSelect exposed 1.5 terabytes of data related to student information collected for the purpose of scholarship programs. These programs require information including tax returns, health information, personal letters of recommendation, health information and academic transcripts. Phone numbers, addresses and email addresses of applicants and — in many cases, their parents — were also compromised. The data was exposed owing to a misconfigured Google Cloud Storage bucket.
The cybersecurity firm which detected the data leak, UpGuard, noted that the bucket contained nine top level directories, and that those with logos indicated either hundreds or thousands of organizations swept up in the leak. Additional directories contained PII found on applications, including one with 2.79 million files. Those included original files submitted for educational funding opportunities, some of them with photos, transcripts and letters of reference.
Colorado University data breach
In October, 2021, the University of Colorado Boulder had to email 30,000 students and alumni to inform them of a data breach. In that case, a third-party software provider had made known to its clients a security vulnerability — which was indeed infiltrated by a hacker — but the University had not updated its software in time. The software was being used in the University's Office of Information Security, of all places.
The Australian-based provider, Atlassian, was aware of a vulnerability in its software and had released a patch in August 2021. But the University says it was only in the process of testing the patched version of the software when the data breach occurred.
Troves of PII including addresses, names, dates of birth and phone numbers were disclosed in the breach. According to CU Boulder, no Social Security numbers were revealed — and the updated version of the software was finally installed.
High school data swept up too
It isn't only institutions of higher education that can be caught up in data breaches. School districts across the U.S. can be vulnerable to all kinds of attacks seeking to gather and exploit PII.
In Texas, a school district in San Antonio that serves 23,000 students fell victim to a ransomware attack that locked educators and administrators out of their computer systems for weeks alongside phone systems, fax machines and Wi-Fi networks. At one point, the superintendent of the Judson Independent School District said she worried about beign able to pay employees and sending transcripts to colleges for matriculating seniors. The attack was attributed to a phishing scheme.
According to local news reports, the district is one of at least 20 targeted by ransomware since 2019. The Judd school district wound up paying $547,000 to the hackers. This amount is reported to be the highest known ransom paid by a U.S. school district.
Lessons learned
In each of the above, a different vulnerability was exploited and PII was made vulnerable to malicious actors. This should prompt school administrators to think more carefully about the volume of data exposed to the wider internet. Does student data need to be stored online, and for how long? This is a key question asked by each of the above institutions after the data was exposed.
When data does need to be online — for example during years when students are using clearinghouses to help apply for financial aid at multiple places — it is essential that IT managers carefully consider the amount and sensitivity of the data they protect.
Beyond obvious solutions like quickly installing updated software and making sure privacy settings are configured correctly, another easy way to shore up your networks is to ensure every tool you utilize is protected by modern, secure identity frameworks. Further, institutions that use a widely established, open source coding language like Java will want to take care to stay safe. Terminal emulation programming from Inventu can remove Java code and keep your organization safe from data breaches and other threats.
Here at the Inventu Corporation, we equip organizations of all sizes with a revolutionary terminal emulation tool called Inventu Viewer+, a high performance emulation solution that is built with C at its core. Inventu Viewer+ supports SAML 2.0 and other identity technologies to enable securing your critical mainframe applications. This allows developers to craft reliable and safe software using clean HTML and JavaScript hosted on secure Windows servers. All in all, Inventu Viewer+ supports streamlined IT modernization and meets employer and staff expectations in a way that feels both familiar and simple. Contact us today or review our extensive product catalog to see how Inventu can help you integrate your active terminal emulation with the best web identity frameworks available.
