LOS ANGELES - Universities have become attractive targets for hackers who are taking advantage of the openness of the schools' networks, their decentralized security and the personal information they keep on millions of young adults.
Sound off on the important issues at
A major database breach at the University of California, Los Angeles that went undetected for more than a year and a smaller breach at the University of Texas are the latest examples of how vulnerable colleges are to such attacks, security experts said.
Universities account for more than 50 data breaches on a list of more than 300 so far this year as tracked by the Privacy Rights Clearinghouse. Hackers have broken into computer systems at Georgetown University, Ohio University, the University of Alaska and Western Illinois University, among others.
"They are a major category, if not the major category," Clearinghouse director Beth Givens said.
The UCLA breach was discovered Nov. 21 when the university noticed a hacker was fishing through the database specifically for names and Social Security numbers. Officials said the hacks date back to at least October 2005.
Hackers also might have obtained the personal information of 6,000 people who worked for, applied to or attended the University of Texas at Dallas, school officials said last week.
The information includes names and Social Security numbers, the school said. In some cases, addresses, e-mail addresses and telephone numbers also might have been obtained.
In both cases, school officials stress there is no indication that any of the information has been used to commit identity-theft crimes.
One reason university databases make such attractive targets is that Social Security numbers are routinely used to identify students.
"It is about time that Social Security numbers receive more protection or that they no longer be used for identifying individuals within the university system," Givens said.
Universities also need to communicate freely with other educational institutions and the public to foster research.
"On the academic side, we want people to see what we do and who we are, within limits," said David Farber, professor of Computer Science and Public Policy in the School of Computer Science at Carnegie Mellon University.
Universities do take seriously, however, the need to separate sensitive personal data from academic data that is more open, Farber said.
"On the administration side of the house, they are running a business and should behave like a business," he said.
Tougher penalties for data breaches also need to be enacted, said Robert Brownstone, an attorney at the Silicon Valley law firm Fenwick &West.
Despite several attempts, there is no strong federal law mandating that universities notify everyone whose information has been compromised due to security breaches. Laws in 33 states vary in notification requirements placed on universities and corporations.