Over the past few months, SLC Security has been noting a lot of malware and botnet activity in the education sector – problems, they say, that the entities often don’t acknowledge when SLC Security attempts to alert them to problems.
Yesterday, SLC Security wrote that they were seeing traffic from:
- New York University -Malicious Activity
- Princeton University – Malicious Activity
- University of Pennsylvania – Malicious Hacking Activity
- Carnegie Mellon University – Botnets and Compromised Systems
And they note:
While we have attempted to contact as many organizations as we can we have noted that many have not acknowledged the activity even though some data has been seen on Darknet and some forums.
So while students, employees, and faculty may be at risk of ID theft or not know that their details are up for sale somewhere, universities ignore alerts from researchers, or maybe do a quick fix and then hope no one will publicly report that they’ve been breached? I’m not suggesting that the four universities named above have covered up any breaches, but am just speaking in general here.
Maybe SLC Security and other security researchers should create a public wall of shame for universities that don’t respond to notifications and/or don’t disclose. And if data are being leaked, what kinds of data are being found for sale on the Dark Web? They can insert a disclaimer that the source of the data on the Dark Web may not be from the currently observed problems, but that it’s up there and the public needs to know their data are up for sale so they can protect themselves. Just saying, “Hey, we’re seeing bad stuff” is not really helpful to those who may be at risk, even though I understand that commercial outfits would like organizations to actually hire them (in which case any transgressions might be shielded by a nondisclosure agreement or confidentiality).
A Wall of Shame might also serve other important agendas. It might increase public – and Congressional – awareness of the scope of problems in the education sector.
And then maybe – just maybe – Congress will pay more attention and we’ll get some laws that empowers a federal agency to actually enforce data security in the education sector.
In the meantime, this blogger continues to believe that the FTC has the authority to enforce data security in the education sector for student financial information under the Safeguards Rule. It has never done so, however, despite this blogger and EPIC.org filing complementary complaints about the MCCCD breach that was reported extensively on this site.
I realize that not everyone is a fan of naming and shaming. So call it something other than “Wall of Shame,” but if personal, financial, or health information is being exposed and the organization doesn’t respond and/or disclose, shouldn’t someone share this information with the public?