An Information Technology security firm has just released a study that found college students’ personal and financial information is put in jeopardy by many universities nationwide by allowing students to send such data through unsecured, unencrypted emails easily read by identity thieves.
At least one tech expert dismissed the survey as somewhat unimpressive, saying unless students are sending credit card numbers via unsecured email then what’s more important is what happens to that email filled with personal and financial data after the university receives it.
But other tech experts emphasized unencrypted email should not be dismissed.
The cyber-security firm HALOCK Security Labs noted in its research that it “sampled 162 institutions … and found 41 that encouraged scanning and emailing unencrypted documents. The sample included Big 10, Big 8, Ivy League, community colleges and technical institutes and found security transgressions in all sectors.”
“When universities utilize unencrypted email as a method for submitting W2s and other sensitive documents, the information and attachments are transmitted as cleartext over the Internet. This format is susceptible to hackers and criminals who can use this private information for identity theft,” says Terry Kurzynski, partner at HALOCK Security Labs.
The … investigation found unsecured data transmission via email is suggested or offered as an option in collegiate institutions located in California, Colorado, Connecticut, Florida, Idaho, Illinois, Iowa, Indiana, Kansas, Louisiana, Massachusetts, Michigan, Minnesota, Mississippi, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Texas, West Virginia and Wisconsin. …
Universities are prime targets for hacker attacks and attempts at breaches happen daily. In a recent New York Times article, the University of Wisconsin cited that hackers from China are attempting to breach the university up to 100,000 times per day. …
The company recommends parents “insist on a secure electronic transport mechanism that is encrypted or they should deliver documents in-person, through fax or certified mail.”
In interviews with CIO.com, a tech magazine and website that reported on HALOCK’s survey, it was noted that “universities typically place in industry comparisons as some of the riskiest places for sensitive data … even at a schools with university-wide policies requiring encryption of sensitive data, it can be tough to run a secure ship.”
CIO reporter John P. Mello Jr. interviewed Mike Corn, chief privacy and security officer at the University of Illinois, who explained: “You’ve got all sorts of units engaging in all sorts of practices and it’s difficult in a highly distributed environment like that to police all of it. … It’s a simple thing for someone to say in the interest of customer service, ‘Why don’t you scan that and send it to me.’ It isn’t that anyone is intentionally violating a policy … it’s easy to fall back on what works easiest for the customer and not think about security implications.”
Mello also interviewed a tech expert who said what the real concern should be is not unencrypted emails, but what happens to students’ data after it’s emailed to the universities.
In other words, is it distributed to multiple people, does it go into single mail box and what does that person do with it – are they destroying it after they’re done with the data? Etc.
Clearly, as technology advances, so do the threats.
IMAGE: Don Hankins/Flickr
Click here to Like The College Fix on Facebook / Twitter: @CollegeFix
Please join the conversation about our stories on Facebook, Twitter, Instagram, Reddit, MeWe, Rumble, Gab, Minds and Gettr.