Earlier this Spring, it was reported that Washington State University agreed to pay over $4.7 million to settle a lawsuit involving the breach of 1.2 million individuals’ confidential records. The settlement grabbed headlines likely for three reasons: a rare privacy and cybersecurity case involving a public university, the staggering figures in question in terms of both the settlement amount and alleged victims involved, and last but not least, the can-you-believe-what-happened circumstance that has since come to light behind the breach.
It is not everyday news to see a university involved in a cybersecurity breach. Yes, it happens likely more than we know, but it is not typically as dramatic in scale. Perhaps you would see a case where fifty faculty members from one department had their online access hacked by a student, or something similar, but rarely would it involve 1.2 million records. Most universities do not have one single database that contains millions of valid social security numbers, as is the case here.
One may say what transpired was also dramatic in terms of the actual breach event. Not dramatic by ways of car chases or state-sponsored transcontinental heists – quite the opposite actually – but rather it was gasp-inducing in terms of the recklessness involved, according to at least one legal expert interviewed. Missed opportunities to practice basic cybersecurity awareness were precursors for the breach that affected over a million people.
According to records from the settlement and interviews with university spokespeople, the affected data on 1.2 million individuals was collected as part of a social and economic sciences research that spanned 15 years. It contained addresses, social security numbers, college admissions test results, contact information, career and health data. Not only was the confidential data not encrypted, it was stored in a hard drive in a self-storage locker where security was minimal, without a security camera in the vicinity. The hard drive was stolen from the storage facility in 2017 in an objectively undramatic fashion. The cautionary tale is a case not only for ramping up cybersecurity resources and preparedness, but also for raising basic security awareness for students, researchers, faculty members and other business or public-sector staffers not typically classified as cybersecurity personnel.
“An unencrypted database of millions in an unsecure location has no place in today’s world,” Said Troy Gill, Senior Security Analyst at AppRiver, a Zix Company. “Some used to consider cybersecurity a niche, now, it should be Business 101. Anyone in an organization that comes in contact with data should be trained in cybersecurity.”
In April 2019, the AppRiver Cyberthreat Index for Business Survey found only 30% of all C-level executives and IT decision makers at U.S. nonprofit organizations store their most confidential data exclusively on a secure network. 50% say it is stored across a mix of secure and unsecure locations and devices, while 20% surveyed admit their most confidential data is stored in unsecure locations or they do not know where it is stored. Overall, 52% of all small-to-medium-sized businesses and organizations report their most confidential data is stored on a secure network; 48% say it is not. Even within the technology sector, where one may assume data security should be standard practice, only 55% of all SMBs surveyed for the AppRiver study report their most confidential and important data is stored exclusively on a secure network or location.
It is not an exaggeration that everyone in business today, regardless of company size or industry, could benefit from higher cybersecurity awareness. The alternative is to brace for higher odds of falling victim to cybercrimes. “Hackers are everywhere, and they will target every point of entry if we are not more vigilant,” said Gill.