As the depressingly steady march of breach notifications comes across my RSS feeds, I notice that US colleges and universities seem to be the victims of an awful lot of breaches. At least, when I skim the list of breaches cataloged by resources like the DataLossDB and the Privacy Rights Clearinghouse, the names of colleges and universities stick out to me. It sure looks like higher education makes up a disproportionate number of breach victims. Several other infosec writers, both inside and outside academia, have made the same point (see below for more articles on the topic).
But, maybe that’s just confirmation bias. Maybe colleges and universities are not breached any more often than other organizations, and it just seems that way to my subjective memory. So, I decided to dig into the data a little and see if institutions of higher education – or for that matter, any particular types of organizations or businesses – account for a disproportionately large percentage of breach reports.
I decided to look at publicly reported incidents of external breaches which were: 1) known or presumed to be malicious; and 2) not carried out or assisted by malicious insiders. I was only interested in reports of “hacks”, not in reports of lost laptops, accidental exposures on FTP servers, accidental emailings, insider abuse, and so on.