An attack by hackers on Sony Pictures’ computer system late last year made news for weeks when it exposed personal information about some of the world’s biggest movie stars and prompted the studio to delay the release of a $44 million movie for fear of attacks on theaters.

But in terms of the number of files breached, the Sony attack wasn’t one of 2014’s largest – five colleges suffered bigger hacks, The Huffington Post reported last month. That’s because institutions of higher learning have become increasingly vulnerable. Colleges and universities account for 17 percent of reported data breaches, second only to the health care industry.

The University of Maine isn’t immune: Sensitive records pertaining to over 600 former students were exposed when a physics professor’s laptop was stolen during a Feb. 10 plane flight. The incident should be the occasion for a lesson in the value of personal data – and the need for more effective employee security training.

The stolen laptop had a wealth of resources for someone who wants to commit identity theft – specifically, former students’ names and Social Security numbers.

Malefactors can use this information to open bank accounts, apply for credit cards, take out loans, file for fraudulent tax refunds and commit Social Security or unemployment fraud. And for the victim, getting a new Social Security number is a lot of work – often in vain, since banks and credit bureaus can easily link the new number to the old, misused one.

The University of Maine System, ironically, stopped using Social Security numbers to identify students eight years ago. This information wound up on the stolen computer because the professor (who hasn’t been identified) had class lists from before 2007 on the laptop – in violation of a UMaine System ban on storing such sensitive data on any electronic devices.

After the breach, John Forker, the system’s chief information security officer, said he’s planning to ramp up the required annual online computer-security training for employees. As he’s doing so, he should pay attention to experts who distinguish between “once a year … ‘Check the Box’ efforts” and “programs that strive to change behaviors of individuals, which in turn strengthens the security culture.”

It’s been found, for example, that interactive material is vastly better at engaging workers than videos or slide shows that play out while employees are doing something else, like checking their text messages or taking a coffee break. Management participation is key. So is soliciting and using worker feedback. To assess follow-through, periodic checks of university hardware are a good way to see whether employees are implementing university policy.

The university system as a whole – not just the professor responsible for the incident – can learn from the University of Maine data breach. If current prevention and compliance practices aren’t reaching employees, then it’s up to officials to figure out what will.