Penn State hack exposes theft risk of student personal data


Pennsylvania State University’s College of Engineering took its computer network offline on May 15 after disclosing two cyberattacks. The perpetrators were able to access information on 18,000 students, who are being contacted this week with the news that their personal identifying information is in hackers’ hands.

Three days later, the computer network is back online, with new protections for its users. One of the two attacks is ascribed by a forensic cybersecurity corporation retained by Penn State to computers apparently based in China.

As a researcher who has published on hacking and hacktivism and serves on the board of the UC Irvine data science initiative, I believe two aspects of this news story deserve particular attention.

Compromising student data

Penn State announced last week that the FBI alerted it on November 21 2014 about an attack with custom malware that started as early as September 2012.

Why did it take so long for Penn State to disclose the breach, despite the fact that the experience of large-scale hacks in 2013 and 2014 (against Target, Home Depot and others) clearly demonstrated an urgent need for quick and full disclosure – both to help the victims and to preserve a modicum of trust?

Penn State stated only that any disclosure would have tipped off the perpetrators before their access to the College of Engineering computers could be cut off. Meanwhile, student data may have been compromised for at least six months, maybe longer.

Another conspicuous problem with public discussion of events like this is, in fact, the lack of distinction often made in the media between actual appropriation of data (as at Penn State) and mere temporary disabling or defacement of websites (as happened to Rutgers University last month). That is like being unable to make a difference between a grand theft auto and keying a car.

The question is, what can universities do to limit the risk to their students?

The exposure of student data in higher education is not limited to Social Security numbers or email passwords. Information collected and retained by educational institutions includes full name, address, phone number, credit and debit card information, workplace information, date of birth, personal interests and of course academic performance and grade information.

Online interactions in particular present a bonanza of data collected automatically – from clicks and mouse patterns to behavioral feedback, giving rise to predictive analytics about passing rates and graduation times.

President Obama only recently called for laws covering data hacking and student privacy. “We’re saying that data collected on students in the classroom should only be used for educational purposes,” he stated in his speech to the Federal Trade Commission (FTC) earlier this year.

Data privacy concerns

If students’ right to privacy needs to be protected from the specter of foreign intelligence agencies poking around the Penn State Engineering School, then by the same logic it should be protected also against data-mining by for-profit actors right here in the US.

Until May 2014, Google, for instance, routinely mined its apps for education services for advertising and monetizing purposes. When Education Week reported that Google was mining student emails, it quickly led not only to lawsuits but also to landmark legislation. The California Senate Bill 1177 was enacted to prevent educational services from selling student information or mining it for advertising purposes.

Yet, almost a year later, students in California remain just as concerned about their data privacy as before – since the new state law was watered down to apply only to K-12 and not to higher education.

And when it was disclosed earlier this spring that education publisher Pearson secretly monitored social media to discern references to their content, the legislative response was one that, according to the Electronic Privacy Information Center (EPIC) in Washington DC, “fails to uphold President Obama’s promise that the data collected in an educational context can be used only for educational purposes.”

Safety of private information in higher education

Students in higher education nationwide are still in a position where they cannot opt out of the computer services of their learning institutions, and so they have no expectation of privacy.

Despite President Obama’s promises for safeguarding the privacy of consumers and families, and despite the fact that a number of technology companies concerned with growing consumer distrust recently signed a pledge to safeguard student privacy, neither Google nor Apple signed on.

The President’s Council of Advisors on Science and Technology (PCAST) was tasked to examine current and likely future capabilities of key technologies, both those associated with the collection, analysis and use of big data and those that can help to preserve privacy, resulting in a direct recommendation to strengthen US research in privacy-related technologies.

And overwhelmingly, respondents to a White House survey recently expressed severe reservations about the collection, storage and security and use of private information.

Maybe it is time for higher education to heed those signals.

Author Bio:Peter Krapp is Professor of Film & Media Studies at University of California, Irvine