A common misconception is that IT teams can manually compile a list of sensitive data
Unauthorized access to a web application cost the Personally Identifiable Information (PII) of around 1.3 million faculty members, staff, students, applicants, etc. of Georgia Tech, Atlanta, in 2019. PII, such as Social Security number, name, date of birth, email address, etc. were compromised in the breach. Even though the institution remedied the situation by offering credit monitoring and identity theft protection solutions, and promising to strengthen its data security efforts, a lot of the damage had already been done.
Just two years prior to the Georgia Tech data breach incident, Washington State University fell prey to a major data breach that ended in a settlement of $4.7 million. A locked safe containing a hard drive was used to store back up files for the Social & Economic Science Research Center of the university. The hard drive contained sensitive information of around 1.1 million individuals. The data included PHI (Protected Health Information), social security number, and address among other sensitive information.
The above incidents and hundreds more stress the importance of efficient data security systems in the educational sector. Such a system can help keep the educational data safe and prevent hackers from stealing valuable information that can cause severe implications to both the institution and the victim.
What makes the Education sector a target for Data hackers?
-A trove of sensitive information: Educational institutions hold a variety of sensitive information in their data storage systems. The systems may contain the following sensitive information belonging to the students, parents, faculty, third party organizations, alumni, etc.
-date of birth
-Financial data like credit card/debit card number
-Staff payroll information
-Student fee payment-related information, etc.
Apart from the above, even research findings and projects are also targets for data hackers.
Educational institutions often hold data that is compliant with the Family Educational Rights and Privacy Act (FERPA). Hackers eye such data too, as they hold high monetary value.
-A one-stop-shop: Typically upon breaching an institution’s data storage system, hackers look for valuable information such as health and financial data. This makes healthcare and financial institutions the prime targets for data thieves. But, since schools hold a variety of such data, including health and financial, they have become one-stop shops for data hackers.
-Well-documented research papers and findings: Findings from research papers and projects are often well documented and marketed. Apart from sensitive data, such findings can also quickly turn into potential targets.
-BYOD: With more and more schools and universities going digital, faculty and students are encouraged to use electronic devices that can further the learning experience. Students and faculty bring in their devices (laptops, hard disks, pen drives, etc.) to connect to the establishment’s infrastructure, and overseas contacts are also made with a number of individuals during the course of learning. With such a variety of devices on-boarding the campus, the potential sites of data leaks also increase.
Given the abundance of data that educational institutions contain, data thieves make constant efforts to infiltrate their systems. They often find buyers for such information on the dark web and earn a handsome profit. Unacademy, a popular educational technology firm, fell prey to a major attack that compromised over 20 million user accounts in 2020. These accounts later ended up on the Dark web where the hackers made money by selling them. What is even more alarming is that the hackers claim that they hacked the whole database but have currently decided to only leak the user accounts on the dark web, holding the rest for later.
An effective data security system can help combat such incidents by detecting and preventing data-centric attacks.
Types of Threat Actors and their Motives:
In 2017, resulting from an unintentional internal error, the Texas Association of School Boards made the names and Social Security numbers of Texas school employees public. This goes on to prove that data threats aren’t caused by external actors alone. According to Verizon’s 2019 Data Breach Investigation Report, 45% of data-centric threats in the education sector stem from internal actors’ intentional and/or unintentional actions.
A major chunk of 57% of the threats that befall the education sector are caused by external actors. These actors are motivated by a variety of reasons and below are a few-
Financially-motivated attacks: The Australian National University discovered a breach in May 2019 that compromised student PII and financial information gathered over a period of 19 years. Such data carry a lot of financial value to hackers when sold to buyers on the dark web. 80% of data attacks in the education sector are motivated by similar financial reasons.
Espionage: An Iranian hacking group carried out data attacks on more than 300 universities across the U.S in 2018. 11% of attacks in the sector are motivated by espionage.
The above incidents and a hundred more that surface every year reiterate the need for a comprehensive data security solution in the education sector.
Impact of a data breach in the education sector
Like most other sectors, when the database of the institutions in the education sector is breached, it causes a host of implications. An effective Data Discovery solution is necessary for educational institutions to combat data-centric threats for an attack can impact the institution in the following ways-
Financial implication: The University of Maryland paid up $6 million to the victims of a data breach that leaked the records of over 300,000 students in 2014. The university had to pay the amount to students towards their credit monitoring services.
Financial implications follow almost all major data breaches, causing a dent in the institution’s financial health. The breach may even cost the institution future student fees and associated income.
Lost Reputation: Reputational damage caused by a breach can be hard to recover from. Educational institutes take years to build a reputation for themselves and earn the student community’s trust and loyalty. A breach breaks it all in an instant and the institution is left building it back from the ground up. A damaged reputation may even affect future fundings for the educational institution.
Legal: There are various legal regulations that mandate the handling, access, and storage of data in educational institutions. FERPA is one such important regulation that mandates the privacy of students and their parents’ information. The IHE (Institutions for Higher Education) that fail to comply with FERPA may forfeit their federal funding. A few U.S states also allow for monetary damages for the disclosure of confidential information.
How is the breached data put to use?-
Breached data is not only sold on the dark web. Monetary gains aside, there are several ways of putting the hacked data to use. Below are a few ways:
Trade of impactful country secrets: A well-planned attack was launched at the National University of Singapore (NUS) and Nanyang Technological University (NTU) in 2017, to steal classified government research data. While Singapore’s Cyber Security Agency (CSA) did not share the actual motive behind the attack, it is assumed that such attacks are launched to gain access to the country’s political-military strategies. Universities often work with the government to research such critical topics.
Monetary gains: Did you know that student email addresses sell like hot cakes on the dark web? According to a 2017 report by the Digital Citizens Alliance (DCA), the dark web was host to an alarming 14 million email accounts that were valued at $3.50- $10 in 2017.
Discounts on software: Unauthorized access to students’ private information, such as email addresses, can offer the hacker more than one way to save money. If you are a student at a university in the U.S, your email address will most likely end with the suffix ‘.edu’. Did you know that this suffix can get hackers huge discounts on software? It is not uncommon for a few online retailers to offer free shipping on products when student email addresses are used during the purchase.
Access to other details: Once hacked, student information can even give access to prosperous donors and existing/future grants.
Adopting an effective and comprehensive data security solution can keep your institution from falling prey to hackers and data thieves who mishandle private data and put your institution in trouble.
How can your educational institution secure itself from data-centric attacks?
Kogni can help your educational institution comply with a range of legal regulations that protect the privacy and security of your students’ private information, such as FERPA, COPPA, HIPAA, GDPR, CCPA, etc.
The Family Educational Rights and Privacy Act (FERPA) is one of the many laws that protect the privacy of student education records and ensure the privacy and security of sensitive information. FERPA applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
A few key clauses under FERPA are:
-Parents or eligible students have the right to inspect and review the student's education records maintained by the school.
Kogni, an acclaimed data security solution, can help your institution comply with this clause. Anytime a parent or student requests to access their records, institutions leveraging Kogni’s powerful data discovery feature can pull up the records instantly from all available data sources.
-Parents or eligible students have the right to request that a school correct records which they believe to be inaccurate or misleading.
When a parent or a student above the age of 18 places a request to rectify their records, educational institutions leveraging Kogni’s data discovery capabilities can instantly pinpoint the records to allow its correction. Kogni thoroughly scans your data landscape to pinpoint the data to enable compliance with this clause.
Apart from the aforementioned key clauses, Kogni’s data security solution enables your compliance with many other clauses under FERPA.
The Children’s Online Privacy Protection Act (COPPA) dictates how operators of websites and online services must protect the personal information of children under the age of 13 and puts the parents in the driver’s seat.
Below are a few key clauses under COPPA and how Kogni can help your institution comply with them:
-Organizations must give parents a way to review the personal information collected from their child
When a parent requests to access their child’s personal information, institutions that have Kogni by their side, can pull up the data instantly from all available data sources.
-Organizations must give parents a way to revoke their consent and refuse further use or collection of personal information from their child
You can access all data belonging to a particular student with a few clicks when using Kogni’s efficient data discovery feature. The requested data gets pulled up in an instant on your screen which helps you process the parent’s request.
-Organizations must give parents a way to delete their child’s personal information
When a parent initiates their right to deletion, educational institutions can use Kogni’s effective data discovery solution to instantly collect their data from all available sources and comply with this clause.
Educational institutions must also comply with the Health Insurance Portability and Accountability Act (HIPAA). A HIPAA audit assesses your institution’s ability to protect the PHI/ePHI (Protected Health Information/electronically Protected Health Information) against its compromise.
Since educational institutes handle a variety of student/faculty/parent health data, it is a must that they comply with HIPAA to avoid violation and therefore huge penalties that come along with it. Kogni discovers, secures, and monitors your PHI/ePHI regardless of its location in your data landscape and can help accelerate HIPAA compliance.
Below are the key HIPAA requirements that Kogni can address to achieve compliance-
- Access Control- A covered entity must execute technical policies that limit access to ePHI to authorized personnel.
Kogni discovers all your HIPAA-related sensitive data regardless of their location. It then classifies the data under preset groups created by Kogni or custom groups created to suit your institution’s unique needs. It makes identifying the data location simple at any given point of time by adding tags to your data and mapping it across users, folders, and permission. May your PHI/ePHI be in a database, filesystem, No-SQL, Big Data, or anywhere across your institution’s data landscape, Kogni helps you locate it in no time. Kogni also supports data in various formats like structured, semi-structured, and unstructured.
Kogni monitors both data at rest and real-time data no matter where they reside and offers unified single-pane visibility to your data. It is also uniquely positioned to identify and report on your critical data that reside in Saas (Slack, Jira, Salesforce) and other hosted services.
- Audit Controls- Under HIPAA, a covered entity must deploy hardware, software and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.
Kogni monitors various enterprise channels such as files, folders, emails, etc. This allows entities visibility into how authorized business units interact with their HIPAA database. Our enterprise data security tool continuously monitors for deviations based on risk patterns and alerts your institution to prevent data misuse from turning into a full-blown data breach.
- Integrity Controls- To validate HIPAA compliance, a covered entity must have in place the required policies to ensure its ePHI is not improperly handled or destroyed.
Kogni helps your institution architect a robust analytics process. It tracks your HIPAA-related data’s activities like location, state, alterations it goes across your entity’s data landscape, its interaction and activities when in your cloud environments, etc. It then logs the potential threats attached to your PHI/ePHI and notifies by sending out appropriate alerts.
Kogni also offers other expert capabilities to accelerate your HIPAA compliance-
- Kogni alerts users
-when an authorized user accesses your ePHI from a different geographic location
-when they interact with a never-before-accessed HIPAA-related information
-when they log in from a system that does not have the required client-based certification or when in an unsafe network zone
- Kogni offers high precision data analytics with a number of data points to ensure the accuracy and actionability of the information.
- Kogni is built on advanced machine learning capabilities and other data mining and heuristics analytics techniques that bring down false positives to negligible numbers.
European parliament’s efforts to protect its citizens’ data, gave birth to the much-awaited General Data Protection Regulation (GDPR). The law applies to each member state under the European Union and aims to create a data protection strategy that covers both consumers (parents and students in this case) and their personal data.
Kogni, the data-centric software’s GDPR-compliant features enable institutions to discover sensitive data in their data sources, secure data as it is ingested and continuously monitor data sources for possible breach and policy violations. Kogni, with its automated sensitive data discovery, is uniquely positioned to help institutions adhere to GDPR within an accelerated time frame. Its data loss prevention mechanism for GDPR helps institutions secure their sensitive data.
The California Consumer Privacy Act (CCPA) is a much-needed law that favors customers’ right to data privacy. The law gives customers (students and their parents, in this scenario) rights concerning the collection and usage of their personal information.
CCPA applies to any organization, all over the globe, that collects and uses the data of California inhabitants.
Institutions must take a comprehensive approach to CCPA compliance by implementing an all-inclusive enterprise data security tool, such as Kogni. Kogni can help them track the location and purpose of their customers’ personal information. It helps customers exert their rights to information, portability, erasure, etc., They can also manage opt-outs when they no longer consent to the sale of their personal information.
Our expert Data Security Software, Kogni, is FERPA-, COPPA-, HIPAA-, GDPR-, and CCPA- ready out of the box. Explore Kogni’s 24/7/365 expert sensitive data discovery, security, and monitoring capabilities for free for 90 days.