chevron-down chevron-left chevron-right chevron-up home circle comment double-caret-left double-caret-right like like2 twitter epale-arrow-up text-bubble cloud stop caret-down caret-up caret-left caret-right file-text


Plateforme électronique pour l'éducation et la formation des adultes en Europe



Universities and cyber crime – keep student and staff data under lock and key

par NSS UK
Langue: EN

We often hear about banks, large retailers and healthcare providers being the target of data theft in media coverage, but universities and other educational institutions are also at risk. Universities have a legal obligation to keep the data of students and staff safe and data leaks can result in large fines, a damaged reputation and distrust between students, staff and their institutions. With cyber crime fast becoming the most appealing option for criminals, university leaders should consider investing in better software to keep their institutions under lock and key.


A cyber criminal

What are hackers looking for?
University computer systems store a wide range of staff and student data: personal details such as name, address and beliefs; bank details and other payment information; family contact information; educational and professional history; and even information about their medical history. Personal details that identify someone can be used by criminals to steal the victim’s identity. Bank details are perhaps the most sought after, as they present easy access to someone’s money. Hackers often target businesses for financial gain and accessing the data compiled by large educational institutions can present them with easy pickings.

What is the cost for universities?
It is a legal requirement to protect student data and becoming subject to a data leak can cost universities greatly. The Information Commissioner’s Office (ICO) can impose heavy fines on institutions that fail to stop cyber crime – The University of Greenwich was fined £120,000 when data relating to 19,500 students was made available online. The data had been uploaded to a microsite for a training conference, which hadn’t been closed down or secured properly and attackers were able to gain unauthorised access to the web server.

Coventry University has also suffered a data breach in the past, which resulted in confidential student information being passed to over 2,000 other students in an email attachment. It is likely this was a case of human error rather than criminal activity, and didn’t result in the leaking of bank details, but it will still have cost the university in terms of reputation. Admitting that a member of staff created the problem would certainly add to already wounded pride.  

What is the cost for students and staff?
Besides potentially losing money if criminals gain access to their bank details, students and staff alike can feel immense stress when they are told that their information has been stolen. They rightfully expect the institution to be able to store their data safely and may feel angry, disappointed and frustrated following criminal activity. Students may feel disenchanted by their university and trust could break down. At worst, they could start looking to study at a different institution. This is very similar in the case of staff, who may no longer trust their employer and could start seeking work elsewhere. Word of mouth is a powerful tool and the disappointment experienced by past students and staff could echo in the educational sector for years to come, impacting on future business and stopping the university from reaching its full potential.


Padlock surrounded by computer circuit board

How can universities protect themselves against criminal activity?
First and foremost, universities should ensure that they have installed new and effective software. This doesn’t necessarily mean buying a brand new product on the computing market, it can be as simple as updating current software to the latest version. New versions often include stronger protection against data crime through patching – when changes are made to a computer programme or its data that is designed to improve or update it. Old legacy systems might be best abandoned if they can’t be patched – this can be costly, but it still likely to be much cheaper than facing heavy fines and dealing with damaged relationships.

Staff should always be prepared to deal with a data breach problem. Universities should arrange for training sessions to be provided, covering what must be done if a threat is suspected or a breach has already taken place. They should be made aware of the General Data Protection Regulation (GDPR) and know what their responsibilities are in keeping confidential data safe. Training needs to be carried out on a regular basis to ensure that staff are aware of any changes to data protection law and are well equipped to use new or evolved systems safely. 


You might also be interested in: 

Share on Facebook Share on Twitter Epale SoundCloud Share on LinkedIn