The looming threat of having personal data stolen is a growing threat for those who trust institutions with their private information. Providing personal information is a prerequisite to using many websites and applications, but many people have concerns about their personal information being leaked or sold. With large-scale cyberattacks becoming more obvious to the public, students should be savvy about what happens with their data.
Westin Mokhtari, a sophomore pre-business major, expressed this frustration from companies that do not seem to value security.
“It shows what shortcuts a lot of these companies are willing to take in order to just get the most amount of money from someone or a group of people,” Mokhtari said.
In order to best protect their data, students should evaluate how institutions like Boise State manage third-party data usage, maintain transparency about data leaks, inform users about phishing emails and prepare for the future of cybersecurity.
Third parties and personal information
Leaks such as the Equifax breach, a credit reporting company, that exposed the personal information of over 145 million people due to poor cybersecurity, struck a chord with the millions who had their financial lives put at risk. These concerns narrow down to the institutional level as students worry that, one day, their information could be leaked from Boise State.
Third parties like Blackboard and Orgsync are some of the more common third-party applications that students use. Blackboard, for example, stores data protected under FERPA, or the Family Educational Rights and Privacy Act. Blackboard’s website indicates that information cannot be shared with third parties except those permitted under FERPA. Educational records are protected personal information, and only the student or approved school officials can receive that information for educational purposes.
By enrolling at most universities in the U.S., students have likely given permission for institutions to share information with third parties. Because Boise State has moved to a “cloud-first” data storage system, there are more potential ways that third parties may use or need student information.
Ty Callihan, a senior construction management major, had not considered that third parties may be using personal data under the terms and conditions.
“I’ve never actually considered that a company would give my information to a third party, but I’ve never read the terms and conditions,” Callihan said. “I just never considered that those would be in there.”
Callihan is not the only one who does not read the terms and conditions. Business Insider in Nov. 2017 reported that only 91% of consumers don’t read the fine print when using a service or application.
Doug Ooley, executive director and chief information security officer, explained the usage of contracted third-parties. As the digital landscape grows, there is a stricter examination of what third-parties the university does business with.
“Contracted third-party vendors may have a business need to use student information,” Ooley said in an email. “With the university’s cloud-first strategy there are definitely more requirements for third-party vendors to use student data. There are numerous third-party applications that may use student data but Blackboard is the biggest user of student data.”
Personally identifiable information includes identifiers like financial information, Social Security Number and addresses that are not to be provided to the public by a third-party or institution. Under FERPA, third-parties are required to keep such information safe if they have it.
Fresno State data theft
In December of 2017, approximately 15,000 people, including 3,000 former Boise State students, fell victim to an uncommon data attack — an external hard drive was stolen from Fresno State containing their personal information from 2007, 2008 and 2011 football camps. Boise State responded by alerting those whose personal data was contained in the hard drives, but not all could be reached due to outdated contact information.
In response to this data theft, Ooley said his department discussed the improvements to be made as a result.
“My office performed technology audits, assessments and recommendations to the affected department as a result of the Fresno State data breach,” Ooley said. “Updates to the desktop, laptop and tablet PC policy were recently submitted for approval. Boise State follows all federal and state guidelines for data breach reporting, including user notifications for transparency purposes.”
Boise State is required by law to report data theft to their knowledge, but like the Equifax breach, it is possible to not know about data leaks until months later. However, Boise State’s practices continually evolve to protect the cybersecurity of students.
“Although it is impossible to guarantee that student data will not be stolen, students can be assured that the university security program (including policy and practices) and defenses will continue to evolve with the cyber threat landscape to limit the risk of data loss,” Ooley said in an email.
Dr. Jyh-haw Yeh, a faculty member in the department of computer science at Boise State for nearly 20 years, noted that external hard drives are being phased out and being replaced with cloud systems for the most protection.
“With the advancement of cloud technologies, Boise State and any other institutes should migrate their data to clouds,” Yeh said in an email. “Reputable cloud service providers should provide reliable cloud storage with less cost and better security.”
Yeh later went on to explain that external hard drives are no longer the best method for data storage.
“Storing personal data in external hard drives was not uncommon ten years ago, though it is not a good practice now,” Yeh said, “As I mentioned earlier, with the advancement of cloud services, we should migrate data to clouds because reputable cloud service providers have more resources than individual organizations to build a more robust protection.”
Although not always from the university, students are still vulnerable to data leaks; that vulnerability often takes the form of phishing emails. Those emails seek to gain personal information by threatening a sudden action, such as deleting an account or by looking like a legitimate email from a trusted source to have you input information.
“My office registers between 8 to 12 phishing campaigns a month and each campaign varies in the number of phishing emails sent from dozens to hundreds,” Ooley said. “On average, we typically see less than 1% user engagement rate on any given campaign. Over the past 5 years, we have seen between 50 to 70 users annually that actually engage the campaigns and require intervention and follow up. We did see an uptick in user engagement with an October phishing campaign centered around canceling accounts. Several hundred students engaged the phish that required escalated intervention from my office.”
Mokhtari says that he receives about one phishing email per month.
“I don’t expect to get any emails unless it’s from work, so I’m usually skeptical of every single email I get in the first place,” Mokhtari said.
Phishing emails are a small threat compared to a company-wide breach, but staying aware of the problem is the best course of action to prevent scams.
The future of cybersecurity is unpredictable but likely to grow to meet the frequent demands of phishing emails, cyber-attacks and data leaks. Yeh cited research from Global Market Insights that predicts the cybersecurity market will grow from $120 billion to $340 billion by 2024.
“As a cybersecurity faculty, I agree with the report’s prediction because I’m also seeing a sharp growth of cybersecurity effort within academia, industry and government in recent years,” Yeh said. “To respond to the trend of cybersecurity demand, the Department of Computer Science at Boise State has developed several cybersecurity programs to prepare our students with the necessary skills and knowledge. To broaden the cyber awareness education to non-stem majors, several campus-wide efforts in developing cybersecurity programs for all [students]are also underway.”
Because cybersecurity is not absolute, students must take a lot of action into their own hands to prevent data theft. At an institutional level, that action comes in the form of awareness of policies and how your information is used with third parties.
“Humans are the weakest link in the entire chain of cyber protection,” Yeh said. “Human errors and some inadvertent actions are the main sources making systems vulnerable to attacks. Some basic cybersecurity training, such as correct password usage and maintenance, and awareness of phishing emails and messages, could significantly reduce personal data theft.”