It’s Back: March Madness Higher Education Data Breach Brackets

Monday, March 12, 2012

Alexander Rothacker


It’s that time of year again – March Madness. The NCAA Selection Committee has chosen the 68 teams (still not a fan of the increase from 64) to participate in this year’s NCAA Division I Men’s Basketball Championship. Most recognize this simply as the “brackets”.

In the spirit of what is being called “National Bracket Day”, we decided to join in the fun and issue our Second Annual Higher Education Data Breach Madness Brackets.

The method to our ‘Madness’ is simple – based solely on the number of reported records breached in 2011, we put together brackets (see image below). For each U.S.-based institution of higher learning that reported a data breach in 2011, we seeded (ranked) them based on number of records affected. From there, it was straight forward – the larger the breach, the further they went in the “tournament”, until an eventual champion was crowned.

It is no secret that U.S.-based institutions of higher learning have suffered their fair share of data breach ‘madness’. So, last year we started an annual tradition and take a fun look at which higher education institutions would make the “Data Breach Final Four”. If you didn’t catch last year’s blog post and corresponding brackets, you can check it out here.

While 2011 witnessed a dramatic decrease in the number of reported records affected (478,490), 48 institutions still suffered breaches. Both figures are all-time lows since data breach recording began in 2005.

So, without further ado, your 2011 Higher Education Data Breach Madness “champion” is…Virginia Commonwealth University (VCU), which reported a breach of 176,567 records on November 11, 2011.

2011 Higher Education Data Breach Madness Brackets

 (click on image to enlarge)

During last year’s NCAA tournament, VCU captured the nation’s attention with its Cinderella-like actual Final Four appearance before ultimately seeing their journey end in a 70-62 defeat at the hands of the Butler Bulldogs.

Unfortunately for VCU, their “Data Breach Madness Final Four” journey did not fall short and they earned the distinction of reporting the largest data breach of 2011 by a U.S.-based institution of higher learning.

Rounding out the 2011 “Final Four” are the University of Wisconsin Milwaukee (79,000), Yale University (43,000) and the University of South Carolina (31,000). 

Year-By-Year All-Time Data Breach Madness “Final Four”

(click on image to enlarge) 

VCU became the 21st higher education institution since 2005 to report a data breach in excess of 100,000 records and was the only one to eclipse that number in 2011. Three institutions exceeded the 100,000 mark in 2010. 2005 saw the most schools go over 100,000-figure with six, whereas 2006 and 2009 had four apiece. 2007 and 2008 had just one each.

Year-By-Year U.S. Higher Education Data Breach Totals

(click on image to enlarge) 

 The “winner” of last year’s ‘Madness’ was Ohio State University, which got hit for a breach consisting of a reported 750,000 records – good for #2 all-time (see Top 10 image below).

And 2012 is already off to a big start, as Arizona State University (ASU) reported a breach of 300,000 records in January, which would put them in a tie for fourth highest U.S. higher education breach of all-time.

Top 10 U.S. Higher Education Data Breaches Of All-Time

 (click on image to enlarge) 

While it is very encouraging to see the record-lows in 2011, those of us here at Application Security, Inc. advise higher education institutions to proceed with very cautious optimism. Will ASU make it to the “Final Four” and take home the unwanted distinction? Was 2011 an anomaly, rather than a trend moving in the right direction for the education vertical? Only time will tell.

Best of luck to all of you whose alma maters will be vying for the national championship and fingers crossed that none of yours made our Data Breach Madness Final Four!

(All from statistics included in the Higher Education Data Breach Madness brackets and lists were sourced from Privacy Rights Clearinghouse)

Possibly Related Articles:
General Breaches
Information Security
Data Loss breaches Privacy Enterprise Security Higher Education Personally Identifiable Information TeamSHATTER March Madness Privacy Rights Clearinghouse
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.