YOU ARE HERE: LAT HomeCollections

College Door Ajar for Online Criminals

Hackers discover that universities are rich in personal data and easier prey than banks.

May 30, 2006|Lynn Doan | Times Staff Writer

Computer systems at universities across the nation are becoming favorite targets of hackers, and rising numbers of security breaches have exposed the personal information of thousands of students, alumni, employees and even college applicants.

Since January, at least 845,000 people have had sensitive information jeopardized in 29 security failures at colleges nationwide. In these incidents, compiled by identity theft experts who monitor media reports, hackers have gained access to Social Security numbers and, in some cases, medical records.

"There are so many examples within the last year demonstrating that these universities are just real, true, vulnerable targets," said Michael C. Zweiback, an assistant U.S. attorney in Los Angeles who prosecutes hackers. "All of a sudden, it seemed like we were adding on another university every week to look into."

Although comprehensive statistics on breaches of college computer systems aren't collected by a single entity, industry experts agree that the situation is growing worse.

Computer security is an increasing concern for all types of private groups and government agencies. Last week, the Department of Veterans Affairs confirmed that electronic records of up to 26.5 million veterans and some spouses were stolen from the home of a federal employee.

Cyber security officials say hackers are realizing that colleges hold many of the same records as banks. But why hack a bank, one official asked, "when colleges are easier to get into?"

Colleges accounted for the largest percentage, roughly 30%, of computer security breaches reported in the media last year, according to ChoicePoint, a consumer data-collecting firm in Georgia.

FBI Special Agent Kenneth McGuire said that five years ago, his cyber crime unit in Los Angeles worked on one to three college hacking cases at a time. On a recent afternoon, his team was working with six colleges whose systems had been hacked.

Arif Alikhan, who oversees computer hacking cases for the U.S. attorney in Washington, said that when he was chief of cyber crime in Los Angeles between 2001 and 2005, his caseload doubled.

And for the first time in seven years, colleges identified security as the most critical issue facing their computer systems, according to a survey of about 600 colleges released this month by Educause, a nonprofit group that promotes information technology use. In a 2000 survey, security wasn't even among the top five concerns.

Hackers are drawn to colleges for various reasons.

In March, 41 Stanford University applicants hacked into the admissions system to see if they had been accepted. A man accused of hacking into USC's admissions system last year said he was only trying to prove that it was vulnerable.

In December, hackers appear to have broken into a system at the University of Washington to find a place to store their music files.

The openness that's rooted in the nature of academic institutions is partly to blame.

"Students want to be downloading MP3's. Professors want a system for general research," McGuire said. "Whenever you have such large portals to information open, you're going to have vulnerability to attacks."

Erich Kreidler, who teaches an engineering class at USC, said he posts everything online, including grades and final exams. "It's about convenience," he said.

But convenience can have a price.

Last month, the University of Texas discovered illegal access to 197,000 Social Security numbers of students, alumni and employees. Days later, a San Diego man was charged with hacking into the USC admissions system in June 2005.

Ohio University confirmed its third security breach since April, together compromising 360,000 personal records and a number of patented data and intellectual property files.

And Sacred Heart University in Connecticut reported last week that a security breach has compromised the Social Security numbers and some credit card numbers of 135,000 people -- some of whom never applied to, worked at or attended the university.

Like many universities, a spokeswoman said, Sacred Heart collects personal information from college entrance exams, college fairs and recruiting firms. Robert M. Wood, chief information security officer at USC, said the college's computer system is scanned by hackers an estimated 500,000 times a day.

"It's pretty much a lot of doorknob rattling," he said. "But occasionally, they find an open door."

USC has reported two security breaches in the last year.

The University of California doesn't track security breaches, but ChoicePoint has logged five hacking incidents at UC campuses since January 2005. The California State University system reported at least 24 breaches since July 2003.

In March, an 18-year-old New Jersey man was convicted of breaking into a dozen systems at San Diego State. He was sentenced to three years' probation and must pay the school $20,000 in restitution.

Los Angeles Times Articles