Over 1,000 Penn students and administrators fell victim to a self-proclaimed hacktivist group last week when names, email addresses, phone numbers and PennCard numbers were leaked from a University database.
Although Penn assured community members that no sensitive information that could result in identity theft was compromised, the hack made many people anxious and generated a sense of insecurity on campus.
The hacktivist group, Team GhostShell, penetrated databases across 100 universities with the aim of sparking conversations about the current state of higher education. While the hackers failed to live up to their lofty goal and served no public good, their attempt to expose the vulnerabilities of higher education has revealed key faults in Penn’s computing system.
Penn has a lot to learn from last week’s attack. In addition to investigating the incident, the University should conduct a rigorous review of its information technology network to prevent future hacks. Since Penn operates through a decentralized computing system — which promotes the free flow of information — individual schools and departments must do their due diligence to ensure their servers are secure.
Looking forward, the University should develop a more centralized system to identify and tackle security concerns across all its servers. Currently, each school is responsible for securing its servers. Information Systems and Computing — which manages shared services like Penn InTouch — can identify security risks and alert individual schools. However, it is limited in its ability to act upon such information.
Granting ISC the power to issue mandates for schools and departments to protect their databases will help mitigate security concerns. Creating a more centralized security system with checks and balances will also address weaknesses in the current model.
Penn should also explore different ways to identify risks and establish best practices. The Office of Audit, Compliance and Privacy may be in a position to offer valuable insight.
The University, nonetheless, should be commended for responding swiftly to the hacking. Within two days of the leak, three websites that were originally used by Team GhostShell were removed on Penn’s request. Penn stepped up to the occasion by reassuring students and staff in a University-wide email and reaching out to victims of the hack to express its regret. Penn should also be commended for pledging to share information gained during its investigation with law enforcement authorities.
But the University’s efforts should not stop here. It should work to address the community’s lingering concerns. It should turn this deplorable incident into an opportunity to educate us on how to stay safe in cyberspace.
It might simply begin by publicizing services like Identity Finder, which is available to students for free and allows users to find and delete personal information stored on computers.
Students urge the University to publicize its Policy on Confidentiality of Student Records more widely and in an accessible format. We must educate ourselves on clauses within this policy that allow us to opt out of disclosing our addresses, telephone numbers and other basic information.
After all, our lives are inextricably tied to technology. Learning to secure our data will pay huge dividends in the future. While data and privacy issues extend beyond the University’s bubble, Penn should equip us with the knowledge to protect us from vulnerabilities.