Universities and colleges: you’ve been warned
Every day, I see reports of SQLi vulnerabilities or cross-scripting vulnerabilities for university/college sites, and I wonder, “How many students and employees have personal information at risk because of this?”
Consider this tweet from a self-described black hat hacker, @JM511:
@amzh702 I’m tryin to fucked up any college or ESL or university as much as I can ?.. I need info I have over 2 millions informations
— JM511 Hacker☠ (@JM511) August 8, 2015
So universities and colleges: will you become one of JM511’s victims? Or to put it more accurately, will your students and employees have their personal information stolen by JM511 because you failed to adequately secure your system from well-known vulnerabilities?
In the U.S., the failure to enforce data security in the education sector is well-known. The FTC says it doesn’t have authority under Section 5 over not-for-profits (even though EPIC.org and I argue that they do have authority under the Safeguards Rule if the breach involves financial data such as student loan information). And the U.S. Education Department doesn’t really enforce data security, either.
So where’s the intense motivation to protect student data? Could breaches in the EDU sector result in litigation? Of course. But ultimately, do we want colleges and universities paying out over data breaches or do we want them investing in educating students and protecting their data?
Some of this is all so avoidable. In the meantime, I’ll keep watching for disclosures of data dumps in the education sector.