by Nancy La, SFU Student
SFU prides itself on keeping its community safe from harm, yet its cybersecurity (or the lack thereof) paints a different image.
SFU’s servers were hacked on February 3, exposing the personally identifiable data of over 200,000 past and current students and staff. This wasn’t the first time something like this has happened either; SFU also had data exposures in 2016 and 2020. SFU’s lack of support for their IT department and options for those whose data was exposed reveal the school’s inability to keep up with modern cybersecurity demands. The school should reflect on the shortfalls that lead to this breach, and take concrete measures now to prevent another breach in the future.
Email addresses, student numbers, and transcripts are among the long list of information that was exposed in the breach. Although more secure information like banking details and social insurance numbers were not exposed, the fact that data breaches like these can happen on a semi-regular basis is a serious cause for concern. At a time when classes are virtual and both staff and students rely on safe online support from SFU, this data breach is a major let down for the community. How are staff and students expected to be productive when the threat of their personal information being revealed hangs in the background?
What makes the data exposure worse is that there is no way for the community to take back the personal data floating out on the Internet. It is now someone else’s free real estate, and there is no way to know what the consequences will be until it’s too late. This risk speaks volumes to the school’s outdated cybersecurity systems. Especially since modern online privacy methods prioritize user transparency and control over one’s own data — something that SFU should prioritize as well.
Investing more in the maintenance of the SFU data servers and in supporting their IT personnel would have helped to prevent an exposure in the first place. The maintenance of IT platforms was even amongst SFU’s top reasons for the annual tuition hike during the pandemic. If SFU had taken more appropriate preventative measures, it would have saved the community a lot of grief. Yet here we are, trying to cope with the fallout of a data breach even though we have already (literally) paid our dues.
Additionally, it’s odd that alumni information is kept on SFU’s servers. What would be the purpose of keeping the information from people who have moved on from SFU? While there may be a good reason for keeping their data, it is not worth bearing the higher risks associated with it. SFU deleting irrelevant or unused data after a certain period of time would be a small step towards ensuring a safer online presence for the whole community.
IT Services recommends that the community set up multi-factor authentication (MFA) and to use SFU’s virtual private network to aid in data breach prevention — the latter of which is only available for staff and faculty. MFA will be mandatory for all staff and students by December 2021 and provide a safer log-in experience, but it does not address the core problems that started this whole mess. These suggestions also put the onus on the community to take action on preventative measures that should have been implemented on SFU’s end from the start.
SFU’s recommendations are only temporary bandaids that do not solve the issue of the school’s vulnerability to data breaches. SFU needs to step up and be a leader in ensuring the online safety of its community, beginning with investing in its cybersecurity infrastructure and personnel, being more transparent with the data it collects, and giving more control to those who own said data. Students and staff deserve more than an email that offers no solid solutions for future exposures.