Source: National Cyber Security News
While perhaps best known for funding academic research, the US National Science Foundation (NSF) conducts many other activities, including an annual survey of doctoral graduates called the Survey of Earned Doctorates (SED). While an important data source for understanding the societal impact of doctoral education, the way in which the NSF conducts its survey offers a case study in cybersecurity through obscurity, the importance of paying attention to the entire lifecycle of data and several useful lessons to other organizations managing sensitive data in 2018.
My own experience with the SED began last month when I received four phone calls in one month from an unknown phone number late at night claiming to be a survey company working for NSF and wanting to ask me a series of questions. In this era of constant phishing attempts and scam calls, I initially assumed the calls were phishing efforts, since any NSF survey would surely be conducted from a listed phone number (though such numbers can be easily spoofed) and that the caller would have sufficient identifying information to authenticate themselves and that they actually were working on behalf of NSF.
Instead, the caller said they had no information about me other than my name, phone number and the university I graduated from and wished me to provide them a cornucopia of sensitive information of the exact kind coveted by identity thieves.