Sacred Heart Latest University To Lose Identities

The latest school to lose student and faculty data to identity thieves, Sacred Heart University of Fairfield, Conn., acknowledged this week that it had been hit by hackers.

"On May 8, Sacred Heart University discovered that the security system on one of our computers containing personal information was breached," the private school of 5,600 wrote in a message posted to its Web site. "We immediately took the computer offline and began an aggressive investigation using university resources and an independent Internet security firm to determine if data was accessed."

Although Sacred Heart didn't divulge the number of records at risk, local television station WTNH reported Thursday that 135,000 notification letters had been sent to current students, prospective students, alumni, and staff members.

Sacred Heart's breach came two weeks after the disclosure of a three-attack run on Ohio University systems that exposed 200,000 people's identities in April and May. In one of the Ohio breaches, the school was unaware of the data lose for more than a year.

According to the PrivacyRightsClearinghouse, more than half of all reported security breaches in the U.S. since February 2005 have happened at colleges and universities, with 25 major institutions losing data over the past 12 months.Sacred Heart used that as an excuse.

"While the University maintains a state-of-the-art computer security system and employs a highly qualified outside computer security firm, it is impossible to be 100 percent secure from illicit intrusion into confidential, personal and financial information," said Sacred Heart in its message to students.

But Gartner analyst Avivah Litan thinks that's a cop out. She criticized universities for their cheap, decentralized approach to security.

"Their security spending is a low priority," Litan said, referring to universities. "Some of the [IT] administrators I've talked to are actually happy about PCI [Payment Card Industry data standard] because it's giving them a reason to try to get more budget for security."

And the open IT infrastructure that most universities rely on makes them an inviting target. "Schools are very decentralized, many with no real centralized security control and a very open environment," Litan added.

"But generally it’s the priorities" that set up schools for identity hacking, she concluded.Other universities have been struck with attacks in 2006, including Purdue and the University of Texas Georgetown University in March, and Notre Dame and the University of Washington in January.

Sacred Heart has set up a Web site with information on precautions those affected by the break-in can take, as well as a toll-free call center. It has also notified local and federal law enforcement of the hack.

The university's only glimmer of hope: "We have not yet received any reports of identity fraud related to this incident," the school said in its online statement.