More than 197,000 personal records were exposed in a security breach at the McCombs School of Business at the University of Texas, school officials said this week.
Initially discovered late last Friday, the breach occurred as early as April 11 and has exposed Social Security numbers and other information of alumni, faculty, staff and current and prospective students of the business school. IT staff at the university are investigating the source of the breach.
In the meantime, the university has set up a website and toll-free numbers to direct those potentially affected to protect their identities. Officials will also send notification to all those on the affected database, whether their Social Security numbers were accessed or not.
This is the second IT security incident in three years at UT and one of a rash of higher-education security breaches in recent memory.
"I think the challenge for academic institutions is that they need to put in place stronger controls around their database systems among other systems," said Murray Mazer of Lumigent, a database compliance and security company based in Acton, Mass.
Mazer pointed to the challenges that IT staff in higher education face when they are tasked to secure such a highly distributed environment. Often the IT staff does not have the ultimate authority over individual departments and colleges to demand better security controls.
"The ability to make autonomous decisions is good in a university in many ways, but it may not be supporting a strong IT control environment," he said. "That is part of the challenge; the lack of a central focus around stronger IT controls for data protection."
In order to move beyond this challenge, Mazer believes that institutions need to realize that the act of protecting sensitive information is a shared responsibility.
"With expectations being ratcheted up on the part of consumers, including for example, faculty and students, people have to have policies and safeguards in place to reduce the number of breaches and increase the likelihood that a breach will be detected," said Mazer. "But the more important point is that responsibility is now shared by various functions throughout the organization. All of those parties should be focused on how they have appropriate controls on their data."