Georgia Tech Breach Puts 1.3 Million at Risk

Atlanta-based Georgia Institute of Technology experienced its own version of March Madness when a data breach potentially affecting 1.3 million current and former students, faculty and staff members hit the university.

Georgia Tech feared the data incident, its second in less than a year, exposed information including names, addresses, social security numbers and birth dates. The Atlanta Journal-Constitution reported Georgia Tech learned in late March that a central database had been accessed by an unknown outside entity.

Brian Johnson, CEO and co-founder, Arlington, Va.-based DivvyCloud, said, “Much like Yale’s disclosure of its data breach last year that it suffered between 2008 and 2009, it could only be a matter of days before affected individuals begin to file class-action lawsuits against Georgia Tech for failing to comply with privacy regulations.”

Johnson pointed out when organizations are entrusted with highly confidential information, such as social security numbers, it becomes the organization’s responsibility to protect it. “Georgia Tech’s incident should serve as a wake-up call for other colleges to leverage automated security solutions.”

Jonathan Bensen, chief information security officer and senior director of product management, San Jose, Calif-based Balbix, said, Georgia Tech is a nationally recognized research university with over 20,000 current students and an alumni network of 140,000 members worldwide who count on the university to protect their data. “Unfortunately for them, this is the second year in a row that Georgia Tech has suffered a data breach. Bensen suggested higher education institutions, like Georgia Tech, must implement a more proactive approach to security and leverage tools that can actually predict when and where a breach is most likely to occur.”

As with all data breaches and/or events the risk could extend to credit unions and other financial institutions.

“This type of information can allow malicious actors to take out loans, intercept tax refunds, use victims’ airline miles, and open utility accounts; alternatively, they may simply sell the data on the dark web for profit,” Anurag Kahol, chief technology officer, Campbell, Calif.-based Bitglass warned. “Schools are responsible for protecting the data that they collect from staff and students (which can include protected health information as well as faculty research.”

Kahol noted on Georgia Tech’s website, it boasts of 173 industry collaborators and 62 U.S. patents issued in 2017 alone. “If the university doesn’t tighten its security controls, this kind of proprietary data is likely to be placed at risk. This is particularly true now that organizations are storing and sharing data in the cloud more than ever before.”

With each breach hackers are able to cross-reference personal information against valid user identities, bought from the dark web. With so many millions of compromised credentials in the wild, organized crime rings and governments have the means, as well as the financial incentives, to deploy credential stuffing and identity theft to great effect.

Ben Goodman, vice president of global strategy and innovation, San Francisco-based ForgeRock, indicated, “Academic institutions are a growing target for attacks given the personally identifiable information they collect for tens of thousands of students, employees, donors and partners. This data will quickly make its way to the dark web where it will be used for identity theft, synthetic identity creation and robotic account takeovers.” Goodman emphasized now, more than ever, education institutions must use modern behavioral analytics, “Know Your Customer” and identity proofing tools during account originations and during email and password resets to fight against these well-armed fraudsters.

A quick reaction from Dan Tuchler, chief marketing officer at Rancho Santa Margarita, Calif.-based SecurityFirst: “How ironic that a university with a high ranking in computer science, which offers courses in cybersecurity, got hacked. This in a state which has had privacy regulations in place – the Georgia Personal Identity Protection Act – since 2007. This is a clear example of the need for encryption of personal data.” Tuchler added hackers always find a way in and need to be stopped before they get the personal data.

“Organizations need to understand their databases are at a constant risk of being attacked. Hackers are evolving and developing new ways to access data, which means organizations need to be prepared to defend against attacks from all access points.” Kevin Gosschalk, CEO/co-founder, Arkose Labs, said. “In this case, an unauthorized user was able to gain entry into Georgia Tech’s database through a web application and now 1.3 million accounts have potentially been compromised.”

Also, late last week hackers also broke into Toyota’s main office servers in Japan, and accessed stored sales information on up to 3.1 million customers. Details about that data breach are still being assessed.