Lack of Network Diligence Will Cost Dearly

Northwest Florida State College acknowledged on Oct. 10, 2012 that it has been the subject of a data breach. The announcement explained the attack included “Northwest Florida State College student data on 76,500 current and past students as well as student data on approximately 200,000 Bright Futures scholars across the State of Florida” as well as 3200 employees.

The breach seems to have been identified and corrected approximately two weeks prior to this announcement, around Sept. 24th. But the report acknowledges that the break-in began May 21st and continued unabated for three months.

The NWFSC student information compromised in the security breach contains public directory information including name and address, as well as confidential student data including birth date and Social Security number. The Bright Futures scholars’ data file includes all State of Florida Bright Futures eligible students during the 2005-06 and 2006-07 academic years. This data file contains student names, Social Security numbers, dates of birth, ethnicity and gender. No student academic files have been compromised.

The Chronicle of Higher Education reports that “cases of identity theft have already been reported, with information used to take out loans or open store accounts and make purchases.”

An update by the university regarding the intrusion added details regarding the attack:

At this point in time, the personal information of employees includes name, birthdate, employee Direct Deposit bank routing and account number information, and Social Security number. Approximately 50 employees to date have reported issues with identity theft, including the college president, faculty and staff.

For universities struggling in a weak economy, high tuition, and questions on the return in investment, failures to protect the information of prospective or current students could prove disastrous. Senior university leadership should learn from the obligations under HIPAA and Sarbanes-Oxley to stay very informed and engaged in the security of their students – both offline and online. That the president of the university was personally targeted by the attackers makes the need for diligence even more important.

It is also a good reminder that all of us receiving funds via direct deposit need to become more diligent checking our accounts.

The university has set up a website at