More colleges suffered data-security incidents last year than in 2006, according to a study that analyzed reports on computer security by news and computer-security organizations. But many of those incidents were caused by mistakes by college officials or theft of property rather than by malicious computer hackers, the study found.
In 2007, 112 colleges reported computer-security incidents, up from 65 in 2006, according to the reports and news articles analyzed in the study, which was conducted by Adam D. Dodge for his Educational Security Incidents Web site. The total number of incidents last year was 139, up from 83 the previous year. (Some colleges suffered more than one incident per year.)
About 100 of the incidents last year exposed Social Security numbers, involving a total of 1,085,708 records. The number of loose Social Security numbers was down from the previous year, when 2,268,580 records that included Social Security numbers were exposed in 66 incidents.
Malicious hackers were not the cause of the spike in incidents, Mr. Dodge said. The number of network attacks by intruders was essentially flat, with 33 reported breaches in 2006 and 30 in 2007.
Instead, colleges were their own worst enemy. An increased number of colleges last year suffered "unauthorized disclosure" of data—in other words, the unintentional release of sensitive information. Forty-nine colleges reported such accidental disclosures last year, up from 20 in 2006.
Theft of college computers or storage devices was the second most common type of data-security incident last year, with 36 colleges reporting 39 cases of data theft in 2007. The previous year, 24 institutions reported 26 cases of theft.
Those figures show that there's more to shoring up data networks than just installing firewalls, said Mr. Dodge. "It's not just a security issue, but it's the people and processes involving data that still need to be addressed," he said.
Mr. Dodge started his Web site, which tracks higher-education security incidents throughout the year, while he was a graduate student in computer security at Norwich University, in Vermont. He now works as the assistant director for information security at Eastern Illinois University, but he says his work on the report is not connected with his role at Eastern Illinois. This is the second year he has published a year-end look at information security on campuses.
It is unclear whether some of the increase in reported incidents can be attributed to heightened interest among news organizations in reporting about computer security.
Eugene H. Spafford, director of the Center for Education and Research in Information Assurance and Security at Purdue University, warned against drawing too many conclusions based on a study that has been taken for only two years and that relies on other reports.
Mr. Spafford said security continued to be a struggle for college networks. "Campus systems continue to be prized because of high bandwidth, number of systems (particularly student-owned), and collections of personal information of people with good credit histories," he said.
