Last week, the New York Times reported that a wave of cyber attacks most likely originating in China has hit public research universities across the United States.
According to the report, millions of attempts are made each week to access privileged information on the servers of American universities. Some of the attempts have been successful and have compromised such personal data as Social Security numbers. Often, these universities are unaware that they have been hacked for weeks after the fact.
This digital threat is particularly insidious considering the value of the records on file at research universities. Hacking poses a threat to the technological advances made by university researchers as well as a trove of personal information about the university’s faculty, staff, and students, including medical records and official transcripts.
But such large scale attacks are not the only threat to data at the University of Iowa. A number of internal and external audits have found problems with the university’s digital-data security.
The UI ought to take steps to better secure its valuable data against threats large and small, from international cyber attackers all the way down to small-scale mismanagement of data.
Internal and external auditors indicate that there may be some flaws in the way the university handles its data.
A February internal audit of the UI found, for example, that the Physics/Astronomy Department was not following the university’s policies and best practices for information technology. Among other changes, the audit recommended that the department change its system of user authentication and computer-management process, eliminate non-UI wireless Internet access points, and back up its critical data in an off-site location.
A list of the most common IT problems uncovered in internal audits provided by the university’s Office of Internal Audit illustrates the vulnerability of our data. The list includes oft-dispensed instructions to ensure that all wireless access points are secure, “ensure any documents that contain Social Security number information are removed from institutional machines,” and “ensure all websites requiring log-in with user names and passwords are encrypted.”
A state-level audit raised another concern about the safety of data at the UI. A report from Iowa’s Office of Auditor of State released earlier this month found that the university has failed to properly encrypt data on portable devices used on campus.
“Portable devices, including laptop computers and USB drives, present a risk to the university until they are encrypted,” the audit noted.
In its response, the university noted that encrypting data on portable hardware is primarily intended to guard against data loss in the case that the device in question is lost or stolen. That’s a very rare occurrence; only five university laptops were lost or stolen in the seven fiscal years leading up to the audit.
Still, the risk is there and will not go away until the university takes steps to eliminate the many small, systemic vulnerabilities that could lead to a major problem. The information stored on the University of Iowa’s servers is too important not to secure completely.