OSINT University: are Colleges and Universities protecting Student Data?

In-brief: Colleges and universities collect reams of student data – including personally identifying information- as part of their student “directory” files. They then distribute it to – basically – whomever asks. In this podcast, we talk with researcher Leah Figueroa who has researched the issue. Also: where are all those Devil’s Ivy attacks? And: companies are desperate for tools and talent to beat back sophisticated threats. Is artificial intelligence the answer? We talk with Endgame about the results of a new survey. 

We’re half way through August and the “back to school” commercials are in heavy rotation on TV. That can mean only one thing: fall is just around the corner and with it, the return of millions of students to the classroom. Which brings to mind this question: ‘we read all the time about the theft of data from financial institutions, hospitals and retailers. But what about our schools?’

Colleges and universities, let alone K-12 schools and school systems hold vast troves of data on their students. This includes not just the courses individuals take (and how they do in them), but loads of personally identifying information (or PII) such as Social Security Numbers, email, physical addresses and even health records.

How well do schools guard this data? ‘Not very well,’ according to Leah Figueroa, a data analyst at a community college in Texas who has researched the issue. Figueroa, whose curiosity was piqued by the many, wide-ranging requests for student data that her school receives, found that institutions like her employer regularly divulge thousands, tens of thousands – even hundreds of thousands of “directory data” on current and former students every year, no questions asked. Social Security and credit card numbers might not be in the mix, but there’s plenty of personally identifying information (PII) that could be used to further identity theft or target students with products like sub-prime loans. This, despite a federal law that protects student data: the Family Educational Rights and Privacy Act of 1974 or (FERPA).

In this podcast, we talk to her about her research and discuss what kinds of data schools collect on students as part of the student “directory,” what laws govern its distribution and how students can protect their data.

Also in this week’s podcast: Paul interviews Assaf Harel of the security firm Karamba Security about last month’s Devil’s Ivy vulnerability in gSOAP, a common open source library. With millions of affected endpoints, why haven’t we seen any Devil’s Ivy attacks yet?

Finally, Ashwini Almad of the firm Endgame talks about a study her company commissioned with Forrester that found the vast majority of firms were the victims of cyber attacks in 2016, and frustration over the inability to stop them. A lack of skilled workers is one big problem. Overly complex security tools is another.

Will automation and artificial intelligence be able to make up the difference? We’ll discuss the options available to companies.

Check our full conversation in our latest Security Ledger podcast below or over at Soundcloud. You can also listen to it on iTunes.  As always, if you like our intro music, give some love to the group JoeLess Shoe, who recorded “Baxton,” the song we use in just about every podcast.

Security Ledger wants to hear your thoughts! Leave a reply.