Data Breaches in Higher Education: Protecting Research, PII, and Institutional Trust
- Isabella Vizzacchero
- 9 hours ago
- 5 min read
Post-secondary institutions are a hub for novel research initiatives while also managing significant levels of personal data, making higher education an ideal target for cybersecurity attacks and data breaches. According to the Bank of America, as of 2023 cybersecurity incidents within higher education can cost each university close to US$4 million.
The increase in security incidents affecting universities around the globe underscores the necessity for proactive safeguard measures to protect the personal data of students, faculty, and employees, as well as the institution’s body of academic research. Data breaches not only affect the individuals whose personal data was compromised, but the credibility and future funding of the institution itself, making it crucial for universities to invest in a secure data management platform that mitigates cybersecurity risks, rather than compromising highly sensitive information and intellectual property.
Universities are Attractive Targets
The rising prevalence of artificial intelligence is transforming cybersecurity, and can facilitate easier data breaches by scaling attacks at an unprecedented pace; although AI is substantially reshaping cybersecurity practices, it also introduces novel methods that enable large-scale attacks against institutions like universities far more frequently, enabling cyber threat actors to demand ransoms from academic institutions.
Post-secondary institutions possess a constant flow of information, caused by rotational research teams, newly enrolled students, and high turnover of masses of users. The sheer volume of data, coupled with various access points, such as databases spread across disconnected systems and inconsistent governance across faculties positions universities as a lucrative and vulnerable target. An example of this is the recent database breach at Princeton University, with the cyberattack compromising the personal information of 1.2 million alumni, donors, and students. Such data breaches result in severe reputational damage, particularly for Ivy league institutions such as Princeton, and investigative efforts may force a university to close down for days.
In July 2023, cybercriminals posted a database - including the names and email addresses of nearly 250,000 students - at Indiana University, exposing information such as race, sexual orientation, identity, and ethnicity after the institution stored this data on Azure Storage blogs, consisting of over 1.3 million unprotected files.
Months later in September 2023, a cybersecurity incident at the University of Georgia (UGA) left the social security numbers, salary, and benefit information of student and faculty names exposed through a defect in the university’s data transfer and storage software. The MOVEit software used to store and transfer sensitive data was accessed by unauthorized individuals leaving thousands of students and staff vulnerable to identity theft, with UGA sending letters to those whose information was compromised.
Confidential PII is not all that is at risk in data breaches; academic and research data are also vulnerable to threat actors. In February 2020 and again in June 2021, two Chinese nationals were charged with hacking into several U.S. universities’ systems to steal unpublished COVID-19-related research, including conducting research on vaccine and treatment development. Universities therefore remain a target not only for valuable personal and financial information, but also innovative, high-impact research.
The impact of poor cybersecurity systems and vulnerable third-party software tools goes beyond reputational or damage loss, it results in operational and academic interruptions, forcing a university to shut down for days.
The Complex Higher Education Context
What does this mean for users of the compromised data? It means that PII/PHI data are at significant risk; the personal information, health records, and addresses of users, in addition to research data and intellectual property, such as unpublished research or proprietary findings.
But it is more than data and files; the trust, safety, and credibility of the university is at stake. The unfortunate truth is that many universities are vulnerable to cyber attacks due to the nature of cross-jurisdictional research. Academic institutions often collaborate with external laboratories, researchers, fellow universities, and industry partners, providing many opportunities for data to be compromised across the various platforms used. This can be increasingly complex in the health and social science fields where strict data security and privacy protocols must be adhered to.
Ways university breaches happen vary but incidents can be attributed to phishing emails, weak login credentials, external collaborators, misconfigured storage and permissions, and unchecked technical vulnerabilities. Universities make an appealing target for data breaches due to the nonstop communication among the different types of users; phishing emails that are disguised as pressing matters, such as a missed tuition payment or renewed HR policies, allow for cyber threat actors to steal credentials and easily access internal campus portals, research data, and personal information.
Another vulnerable point for universities are shared drives and cloud storage which are heavily relied on in both administrative and research capacities. Drives or files are often shared informally due to the fast-paced nature of academic research and turnover of rotational research teams. Additionally, a lack of protocol regarding accessibility to data via privilege, and shares that are never revoked, results in research teams being unable to pinpoint the many external collaborators who may still have access to IP or proprietary data. Excessive access that is not carefully tracked increases the attack exposure, creating opportunities for hackers to enter internal systems.
Securing University Research Data with a Centralized RDM Platform
Given the high volume of external partners and collaborators that contribute and have access to a university research team’s data, data exposure means reputational damage, financial penalties, and research participant liabilities.
With these significant risks, universities must take precautionary measures to mitigate their susceptibility to data breaches, and strengthen their security governance. Post-secondary institutions must have systems that implement regulatory compliance into every aspect of their daily workflows, as opposed to applying it after the fact. A consolidated system designed for collaborative teams, myLaminin addresses an academic institution’s needs for security in a research environment. myLaminin’s comprehensive project space supports shared documentation and data handling, rather than fragmented data across interdisciplinary projects.
Principal Investigators (PIs) in an academic research initiative must effectively govern their research in accordance with data management plans. myLaminin facilitates fewer systems spread across a shared work infrastructure, means clearer project oversight and enhanced cross-functional communication, creating smoother workflows that mitigate data breach risks.
More specifically, studies that involve human participant data must prioritize secure collection protocols that incorporate PII data anonymization. Research teams should implement role-based accessibility and data control capabilities, ensuring authorized team members possess full control and reduced exposure. Universities should also ensure they can deliver data sovereignty within their research management platform to address their jurisdictional regulatory requirements.
myLaminin meets these needs through a centralized RDM platform that embeds end-to-end data sovereignty, protocol compliance, and security to strengthen data governance and reduce risk across academic research. PII and PHI are protected through secure data collection and role-based access controls, safeguarding participant privacy.
By supporting secure, collaborative data management across the research lifecycle, myLaminin enables the delivery of high-impact, trusted research outcomes.
Sources
__________________________________
Isabella Vizzacchero (article author) is a myLaminin intern, and studying Management and Organizational Studies (BMOS) at Western University.
