Whether you study at a university, teach at one, or you work in a university records or IT department, you’ve probably noticed that universities collect and store a lot of personal data. At the least sensitive end, this personal information includes names, gender, addresses, ID numbers, email addresses, phone numbers and other contact details. At the most sensitive end of the scale, universities may also record:
- photo IDs
- ethnic origin
- sexual orientation
- religious beliefs
- criminal convictions
- disciplinary details
- fee payment details
- academic records
- physical and mental health records
In the majority of cases, all the information collected is necessary to keep the infrastructure of the university running smoothly. However, despite the necessity of this data collection, personal information is often confidential and highly valuable.
As such, it’s natural to worry about data privacy and security in universities, including the possible risks involved in university data collection, how safe that data is, and what can be done to keep it more secure.
What cybersecurity risks does university data face?
Whenever data is being stored by an institution, there is always a risk of a data breach – the release of personal information, whether intentional or unintentional.
University data breaches can happen in a number of ways, and they pose multiple potential risks to both the university and the individuals whose data is being stolen.
Data risks: how is data stolen?
With hackers getting smarter day by day, it would be impossible to give an exhaustive list of all the ways data can be stolen from universities. However, it is possible to group them into 3 broad categories:
Cyberattacks are digital attacks launched by hackers to obtain or damage data. These attacks can take on multiple forms. One of the most common is phishing, where hackers spoof university websites and emails to get unwitting students and teachers to reveal their data.
This was the method used by an Iranian hacking group from 2013 to 2018, stealing a whopping 31.5 TB of data from 320 universities around the world.
2. Insider leaks
It may surprise you to learn that half of all data leaks across industries come from insiders rather than hackers. In universities, this often involves staff who have been fired or disciplined and decide to maliciously leak information to harm the university.
3. Physical theft
While physical theft is one of the least common ways data gets leaked in the modern age, it still happens. If universities hold physical records, attackers may physical break into the places where they’re held and steal or damage them.
Access keys and cards are also at risk of physical theft, since many of them allow access to restricted areas and sometimes even computers.
How do breaches harm universities?
If a university is hit by one of the leaks above, it could cause serious (and sometimes irreparable) harm to the institution in a number of ways. Some of the most worrisome include:
- System manipulation: Students and teachers using personal data to gain access to the university system and change grades, manipulate admissions decisions, or even cause reputational harm.
- Ransomware: Hackers using personal data to break into a system and launch a ransomware attack, encrypting important information like other personal data and research logs with the demand of a ransom payment to decrypt it.
- Financial risk: Universities being fined for data breaches, or being forced to shell out millions to repair system and replace data after a breach.
How do breaches harm students and staff?
Perhaps even more alarming is the risk posed to students and staff who have their data leaked. These data risks include:
- Identity fraud: With enough information stolen from a university, a cybercriminal can access someone’s bank accounts, phone accounts, shopping accounts and more.
- Reputational damage: Putting sensitive data like mental and physical health records, past criminal convictions, sexual orientation and more online for anyone to see can jeopardize someone’s chances of employment or destroy relationships.
How safe is your data?
With all these risks in consideration, you probably have one question on your mind: how safe is the data stored in universities? How likely are staff and students to suffer the data attacks and consequences outlined above?
Ultimately, universities are expected to adhere to 6 data protection principles to keep personal information safe, private, and protected. These principles are as follows:
- Lawfulness, fairness, and transparency: Universities must adhere to national law, keep students and staff informed of data rules, and reveal a subject’s personal information to them for free and within one month if they request it.
- Purpose limitation: Universities must only collect data if they have a specific purpose for it, and must never use that data for another purpose without consent.
- Data minimization: Universities must collect the minimum amount of data required to adequately fulfil their needs.
- Accuracy: Universities must always keep their data up to date, fixing any inaccuracies, errors, or incomplete fields within one month.
- Storage limitation: When data is no longer needed, the university must delete it within a reasonable time scale.
- Integrity and confidentiality: Most importantly, universities are expected to do all their can to keep data safe and secure, using the right combination of technical and organisational measures to protect personal information from unauthorised access, accidental loss, and damage.
The GDPR and university data safety
These six principles above were laid out by the General Data Protection Regulation (GDPR) which came into effect in May 2018, replacing the previous Data Protection Act. The GDPR is the set of European laws that govern all “data controllers,” including universities. These regulations are considered by most to be the strongest data protection rules in the world, and those who don’t follow them are subject to hefty fines.
In the past under the Data Protection Act, the maximum fine was £500,000 per incident. Evidently, this sum was not a big enough deterrent, because in 2018 (not long before the GDPR came into effect) the University of Greenwich was fined just £120,000 for carelessly leaking the personal and sensitive data of 19,500 students. What’s even more alarming is that this was the second incident reported at the University of Greenwich. A serious data breach in 2016 leaked highly sensitive student data like mental health information, asylum applications, and more.
However, if a university doesn’t comply with the regulations set out in the new GDPR, it can be fined up to €10 million for smaller offences and €20 million for larger offences.
Bearing the tight rules and financial risk involved in mind, one would assume the data a university holds on there is adequately protected against data theft. However, while universities today are making an effort to adhere to the GDPR, it remains to be seen whether their efforts will be sufficient.
This is because, to a degree, the GDPR regulations are still open to some interpretation. You may have noticed that the data principles don’t outline any specific numbers or procedures that need to be followed. It’s up to each individual university to set their own local rules governing data. These rules must be in line with the GDPR, but what is “fair” and “adequate” to one university may be considered overkill to another.
For example, the University of Durham has decided that the suitable retention period for the personal data of individual students is a maximum of 6 years after graduation. However, the University of Loughborough believes keeping it for a default of 10 years is necessary.
Likewise, each university has different ways of ensuring the security and privacy of their records. A university’s ability to protect against cyberattacks in part depends on password criteria. The risk of an insider leak is increased or reduced based on how many people have access to restricted data leaks.
Whether hard copies can be stolen depends on whether they exist and how securely they’re kept if they do. Of course, password criteria, data access, and hard copy storage vary from institution to institution, and some regulations aren’t strict enough to adequately protect against a breach.
On top of that, many universities simply don’t do enough to prevent students and teachers from accidentally leaking their own data or that of others. Consider phishing attacks, for example. These are often preventable, but has your university adequately informed staff and students how to spot rogue emails and when to avoid entering their login details?
As a result, while data stored in universities is safer than ever under the new General Data Protection Regulations, you’re never completely safe from a breach. Of course, there are ways to mitigate your risk even further. One great method is to use a university VPN.
What role do university VPNs play?
A VPN (Virtual Private Network) is a service which changes the way you access the web. VPNs reroute all your traffic through a remote server. The main benefit of using a VPN is privacy – it hides and encrypts all your traffic so no one can easily identify you or break into your connection to steal your data.
These days many universities offer a free, opt-in VPN service to all staff and students. Information on how to log in to the VPN may be given to all students and staff upon joining the university, but in most cases you will need to apply for access by contacting the IT department.
Unlike typical VPNs, which give access to a variety of servers all over the world, university VPNs give access to the university’s own campus network. Using the VPN, students and staff can connect to the university network securely, no matter where they are in the world. This helps ensure data privacy and protection against leaks by greatly reducing the risk of a university’s data being intercepted by a cyberattack.
Imagine a scenario where a professor is travelling on a research project and needs to use a free wifi network to access their students’ information. If they connect openly to a public network, anyone with minimal tech know-how will be able to snoop on their traffic, steal login details, and access a huge array of student and staff data. However, if a university restricts off-campus connections to those using the VPN, they can ensure that personal information is never left exposed and unencrypted.
While VPNs alone aren’t sufficient to protect against data breaches, they are a very helpful tool in a wide arsenal. If you’re a student or teacher at a university, get in touch with your IT Service Desk to find out how to connect to the VPN when needed.
If you work in IT and records at your university and you don’t yet have a VPN set up, now is the best time to do so.
All in all, since the advent of the new GDPR regulations, personal information collected and stored by universities is much safer than it was in the past. But when it comes to cybersecurity, it’s always important to remember that no matter how strong and closely followed the rules are, it’s impossible to make yourself completely immune to cyberattacks, leaks, and theft.
That’s why it’s so important to use additional methods like VPNs to protect personal information. The more methods you combine, the harder it is for information to be hacked and leaked.