Data protection is important for all companies, but for a college, it means protecting a population that is, in many ways, just starting out in the world. These issues are being discussed all around campus this week as Northwest Florida State College (NWFSC) resolves a breach that may have affected nearly 300,000 people.
Employee information was breached between May 21 and September 24 after hackers apparently accessed a folder on the school's main server. Officials said they reviewed this internally between October 1 and 5 and found that 76,000 current and former students of NWFSC had information exposed in the breach, as did 200,000 other students across the state who were applying for or eligible for the Bright Futures scholarship. These students were affected in the years 2005-2006 and 2006-2007.
Added to this is the fact that more than 3,000 retired and current employees had their information exposed too, which eWeek said makes this one of the "most extensive" security incidents for a college in recent memory.
In NWFSC's case, exposed information included names, Social Security Numbers and birthdays, all of which could be used by a skilled hacker to steal information and identities. Personal information stolen also included direct deposit routing numbers. About 50 employees have reported issues with identity theft as of this month.
“We provided information to employees as soon as we had an indication that there was an issue – when we initially had reports from five employees that their direct deposit accounts had been unlawfully accessed,” said Dr. Ty Handy, college president, in a statement. “We needed employees to take immediate steps to individually review and protect their personal data. As they did, more employees began to report issues once they reviewed their information."
One security vendor said when looking at the highest risk universities, they found New York University was No. 1 due to transactions coming from different time zones. This is one possible solution for schools like NWFSC, as the company said VPN or a proxy could be used to ensure that the transactions are coming from people who actually work for the entity.
Avoiding these breaches
Cloud computing, virtualization, big data and countless other emerging technologies are being integrated into government entities, universities and businesses, so there will certainly have to be more data security and oversight brought into these places. Government Health IT posted an article on how companies and organizations can avoid breaches, speaking with people like Christine Arevalo, director of healthcare identity management at ID Experts.
"We operate with three core values," she said. "One is the importance of taking preventative action. The second is doing the right thing for patients and the data you're entrusted with; the system as a whole is based on the trust patients have in physicians and safeguarding their sensitive information. And the third is being compliant – it's a regulatory matter that can’t be ignored. We’re seeing a lot more of those rules being enforced, specifically data breach notifications. Companies can't hide from those issues anymore."
These professionals interviewed by the website offered Government Health IT some tips for staying safe, including performing a risk assessment, understanding what information the company has that is sensitive and how they can protect it. Businesses should also always train employees on security basis and have an incidence response plan ready to go in case something serious happens. With policies like this in place, companies should have much better data security than ever before, as the information is being kept in mind instead of simply forgotten about.
Data Security News from SimplySecurity.com by Trend Micro.