Slipping Through the Cracks

Yesterday's announcement that the personal information for thousands of members of the University community may have been compromised is yet another reminder that such glitches and breaches have become a commonplace part of college data management.

In May 2006, Ohio University announced a security vulnerability that had left the personal information of 360,000 staff, faculty, and alumni-including more than 137,000 Social Security numbers-available on the Internet for 14 months in a series of three separate breaches. The lapses led the university's chief information officer, William Sams, to resign and led the university to hire a consultant to perform a risk assessment of the network and to ask its board of trustees to spend millions to upgrade network security.

A month earlier, the University of Texas found that someone had illegally accessed the Social Security numbers of 197,000 students, faculty, staff, and alumni. Last December, the University of California, Los Angeles, announced that 800,000 users' records had been compromised during a series of incidents over the course of 13 months.

In fact, Columbia's data breach isn't even the largest in April 2007. Two weeks ago, the University of San Francisco had to notify 46,000 of its users that their personal data, including Social Security and bank account numbers, could have been stolen when an on-site server was left open to a potential breach in late March.

This isn't the first potential breach that Columbia has endured, either. In June, Barnard announced that 4,800 students, faculty, and administrators at the college had been left at risk when hackers accessed a computer that had been left unprotected on its network, a relatively small incident when compared to those at other schools. In March of 2005, Columbia's Junior-Senior Advising Center inadvertently e-mailed one student's Social Security number to the entire senior class in Columbia College and the School of Engineering and Applied Science.

A survey released in October by CDW Government, Inc. and Eduventures found that 9 percent of colleges surveyed had reported a theft or loss of student information, 21 percent had been hacked by somebody within the university, and 35 percent had experienced an intrusion from outside the network within the last year. All told, 58 percent had gone through some kind of IT incident in the preceding 12 months.

Meanwhile, the Los Angeles Times reported that in a five-month period at the beginning of last year, 845,000 people had their personal information compromised in 29 college- and university-related security lapses and that colleges were responsible for 30 percent of all computer security breaches in 2005, according to a report by data aggregation firm ChoicePoint.

Yesterday's announcement has become all too familiar at college campuses nationwide, and the University has begun taking steps to mitigate them at Columbia. To prevent these sorts of security breaches, Columbia University Information Technology hired Medha Bhalodkar to fill its new post as chief information security officer late last year. Yesterday, Bhalodkar was unavailable to comment about what she has done to improve security on campus. The University has said that it is planning to do away with the use of Social Security numbers as a means of identifying its affiliates. Columbia's Secure Identity and Access Control project will replace all CUID cards currently in circulation with a newer, more secure model.

As Columbia moves forward with its initiatives, its goal is go keep the private information of Columbians private. But as other schools have shown, it will be a long, hard-fought battle to achieve success.