THE SCENE OF THE CRIME
DATELINE: Your Town, USA. It was a dark and stormy night and a crime was being committed: the felonious theft of precious goods for material gain. The victim was an organization engaged in a variety of businesses including computer database administration, health care services, financial services, and a retail merchandising business.
As a database administrator, the victim managed vital records of others including names, addresses, birth dates, phone numbers, email addresses, and social security numbers. Beyond these basic identity records there were also bank records including account numbers and bank routing numbers.
There were also patient health records and health insurance information. And there was other information in the database of an even more sensitive nature that might not have a dollar value but was precious from a personal reputation standpoint.
The financial services sector of this organization was privy to a lot more than checking or savings account information. It actually made electronic payroll deductions on behalf of individuals and allocated those deductions to a menu of retirement accounts. It even processed income tax withholding.
The retail arm sold logo clothing, books, laptop accessories, and sundries. It accepted cash, checks, and credit card payments for the items it sold. The retail establishment was well run and physically well protected. Cash and checks received were kept in a secure location until bank deposits could be made and there was a failsafe system of accounting for all monies coming in and flowing out to avoid fraud.
In fact, each of these sectors of the organization was well protected from a physical premises standpoint and used a system of checks and balances to ensure that no data could end up being taken away from the premises either surreptitiously or inadvertently.
The IT department had been vigilant in securing computer networks also. Their main interest was making sure that computer viruses did not infiltrate the network and corrupt databases but they had also instituted a system of password protection for each member of the organization’s computer network.
Still, the theft was an inside job. It occurred at 12:15 in the morning and took only a short time to accomplish. After the crime, police searched for physical evidence of a break-in but found nothing. In fact, the crime had taken place on a computer from a remote location.
There were two perpetrators who were eventually arrested but who were not suspected at first because they did not appear to fit the routine profile of thieves. They were teenage boys. They made outstanding grades in school, dressed respectfully, were active in clubs and had no record of prior burglaries, not even a misdemeanor shoplifting charge. They were not connected to drug use. They obeyed curfew requirements. They were cyber hackers and had breached their school’s computer system.
THEY’RE JUST KIDS
Who are these teens? They may live on your block. A survey in 2009 by Panda Security sampled 4000 fifteen to eighteen year olds and found that 67% had tried hacking into their friends’ social media accounts. In another survey in New York City in 2010 by Tuffin Technologies, 16% of the 1000 kids surveyed said they had tried hacking.[i]
In Orange County, California, two eighteen year olds hacked into their school’s computer network to alter grades and steal test material. One of the boys had infiltrated the school network multiple times and was charged with 69 felony counts which could add up to over 38 years in prison. The charges against him include: altering and stealing public records, computer fraud, burglary, identity theft, receiving stolen property, and conspiracy.
The other boy was charged with a single count on each of four crimes from conspiracy to attempted altering of public records. People who knew both boys and their families attested that both were good kids. Their high school, which has 2,800 students, is highly ranked.[ii]
Other cases of such crimes range across the continent from California to New Jersey and Maryland. The students are highly tech savvy, possibly more so than most of the adults in their schools and clearly more so than adults give them credit for being.
Some of the crimes have involved the use of keystroke- recording malware that students have clandestinely installed in school networks. In other cases, students have explored YouTube for readily available instructional videos on the art of hacking everything from Facebook accounts to school databases. Some more attentive students have proved adept at observing teachers entering their own passwords on their desktops or laptops during class periods.
This does not mean that students are the only people who might hack into high school or even university databases and computer networks. Adult thieves may be involved in the crime and are perhaps more likely to steal physical property during a break in at the school premises. Burglaries can include anything from laptops to smart phones to computer hard drives, all of which enable cyber breaches down the road.
But such breaches may be easier for students to accomplish without a premises break in since they have a presence on campus, at least during school hours, and legitimate access to institutional networks at some level. Students may be motivated to alter academic records or get previews of test questions like the fraternity brothers of Delta Tau Chi in the movie Animal House. However, cyber crime can be even more sinister and include hijacking web sites with hate speech or pornography.
BUT WE’RE JUST A SCHOOL
Whoever is doing the hacking and perpetrating the breach, schools need to recognize all the businesses they are actually involved in and the cyber risks related to those activities. Universities and private schools may be involved in a wider variety of exposures than public schools but all educational institutions should consider their risk broadly.
All schools possess personal identification data that includes physical and electronic contact information, phone numbers, and social security numbers. The theft of any portion of this information is a big business and compromises the personal security of individuals. It is the risk that we most commonly associate with school cyber risk, but in addition to that basic information, schools also store financial data- some of it obvious and some not.
School sports departments may require health evaluations in order for students to participate in sports such as wrestling or lacrosse or soccer. Student athletes may even be required to provide evidence of health insurance that is kept on school databases.
Even public K-12 schools may be in the financial services business in ways that are not readily apparent. Besides providing direct deposits to personal bank accounts for employees and making tax and 401k or pension deductions, schools may store bank account information of students or their parents. Most parents have experienced paying for school organized events and field trips with a check and while that may not entail a debit or credit transaction, checks may be scanned and information recorded by schools for accounting purposes. In some cases, credit payments are possible.
Public school Parent Teacher Associations as well as private school development offices raise money for a variety of causes. While PTA fundraisers support fine arts programs, purchase sports equipment, and augment classroom supplies, private school development offices promote capital projects as well as scholarships. In some states, individuals can also allocate tax refunds to scholarship programs at their favorite school directly through the IRS. In all these cases, a donor list is a highly confidential item that bears not only financial information but identities that many donors desire to remain private.
Most schools today, public and private, also have websites that provide parental access to their student’s grades, class schedules, teacher phone numbers, email addresses and websites, home pages, or even a social media presence. These parent portals are generally password protected however a breach could open up a world of private information.
School stores where students purchase textbooks and supplies may accept a variety of forms of payments including credit. In addition to books, both public and private schools may give students the opportunity to purchase spirit wear, food, and other items. School merchandising in private schools and universities may include a broad array of goods and even reach out to alumni via the school website.
University websites also promote or sponsor summer education opportunities for alumni as well as overseas excursions led or directed by university professors. These are often announced in electronic alumni newsletters and posted on alumni office websites linked to the university’s website. These postings offer online registration and credit payments that capture personal records.
Alumni websites also often include social media facilities offering everything from social networking to job searching or job posting. These sites allow users to set up password protected profiles, similar to Facebook and LinkedIn, with a variety of private personal information.
Finally, all schools store sensitive information about students, teachers, and other staff. For students, this can include psychological evaluations that enable them to have additional time on tests as well as college entrance or admission information and SAT registration data. For teachers, such information contains performance reviews, salary and ranking comparisons, and professional conduct records.
No matter what activity segment of a school network is compromised by a student or other hacker, the repercussions are both personally invasive and legalistic. The direct and immediate consequence of that midnight raid by two students may be the alteration and theft of privileged matter such as grades and test data. However, once the breach is made the misappropriation of a wide variety of data can quickly imperil everything from personal finances to personal safety to personal reputations.
More than that, the fact that many of us use the same passwords for all of our password protected electronic sites affords hackers with more opportunity than just the school database. A breach of the school network may lead to breaches of our personal collections of online payment and social media accounts.
Schools also have a duty to ensure the security of their records and that duty is regulated on both a federal and state level.
- FERPA is the Family Education Rights Privacy Act and is administered by the US Department of Education. It affords parents or eligible students the right to inspect all personal records held by schools and requires schools to keep private all student records except under specified situations.
- HIPAA is the Health Insurance Portability and Accountability Act administered by the Health and Human Services Department. In tandem with the HITECH Act, it protects the privacy of personal health and health insurance information.
- FCRA is the Fair Credit Reporting Act administered by the Federal Trade Commission. Along with sections of the Graham-Leach-Bliley Act, FCRA regulates the privacy of financial transaction and information.
- PCI-SSC is the council that regulates standards for the payment card industry. These standards ensure the privacy and accuracy of credit card transactions.
All of these regulations, as well as various state regulations, include mandates regarding an organization’s response to a data breach. In most cases, notification is required to be sent to potentially damaged parties within certain time frames. These are often called “red flags” and can cost as much as $400 per record.
Any situation involving risk as well as the potential of regulatory action is a serious matter and the possibility of student hacking into a school databases is growing. The internet itself provides both an open forum for hackers to advise and encourage each other as well as step by step instructional videos.
Schools and their insurance advisors should review all the potential sources of data breach and devise strategies including a system of strong passwords and authentication procedures. Passwords of users should not be repeated among an individual’s other secure zones and schools should separate various database networks so that a breach in one area is not an open door to the entire system. Encryption of information is the gold standard.
Appropriate insurance is also a key aspect of cyber risk management. The right coverage can compensate for first party loss as well as lawsuits from third party damage. Cyber insurance coverage can also include:
- cost of data restoration
- insurable portions of breach notification costs
- business interruption and the costs of service denial
- cyber extortion
- web content liability
- non-digital data files
- tech errors and omissions.
The best risk management for cyber crime is a combination of prevention and appropriate insurance coverage. Vigilance is crucial. So, whether you’re a public or private school or even a university, check your watch. It’s midnight. Is your data tucked in?