Compromised: University Suffers Breach

Wednesday, December 22, 2010 @ 03:12 PM gHale

Ohio State University has to notify 760,000 people their names and Social Security numbers may have become compromised after one of the largest and most costly breaches to hit a college campus.

Ohio State expects to spend about $4 million to pay for the forensic investigation and credit-protection services for those whose personal information was on the hacked server.

University officials started notifying current and former students, employees and businesses that have done work with the school about the breach.

“We regret that this has occurred and are exercising an abundance of caution in choosing to notify those affected,” said Provost Joseph A. Alutto.

There is no indication the hackers took any personal information or the incident will result in identity theft for any of the affected people, Alutto said. Still, the university is offering 12 months of free credit-monitoring services through Experian as a precaution.

In late October, a routine computer security review uncovered suspicious activity on a campus server with the names, Social Security numbers, birth dates and addresses of up to 760,000 people associated with the university, including applicants, contractors and consultants, he said. That server did not house OSU Medical Center patient records or student health records.

Ohio State isolated the server and hired Columbus-based Interhack to investigate whether there was any compromised personal data. The university also turned to cyberforensic consultants Stroz Freidberg of New York. Both firms confirmed hackers illegally gained access to the server, but neither found evidence the hackers accessed any data, Alutto said.

Instead, the expert found signs the hackers were trying to use the OSU server to launch cyber attacks on agencies and businesses.
“We didn’t start notifying people until now because we didn’t receive our first report until late November, and the second in early December,” he said.

Ohio State will continue to work with the cyberforensic consultants to strengthen its systems against further attacks. Campus police is investigating and officials also notified the FBI.

Ohio State officials investigated an average of 10 potential data breaches annually during the past three years but have found only a few actual breaches, involving minor problems and no more than a few hundred people.

OSU’s largest incident occurred in 2008, when a vendor doing work for the school’s student health-insurance plan mistakenly stored the names of 18,000 current and former students on a computer open to the Internet. No identity thefts ever came out of that incident, campus spokesman Jim Lynch said.

Since 2008, colleges have discovered 158 breaches resulting in the possible compromising of more than 2.3million records, according to Application Security Inc., a New York security firm.

Ohio University experienced one of the worst information security breaches in higher education in spring 2006, when hackers gained access to the medical data of thousands of Ohio University students. The Hudson Health Center data contained identifying information on 60,000 students, including Social Security and personal identifier numbers, addresses and data on medical treatments.

That breach followed an attack on a network server containing data on 300,000 Ohio University alumni and donors, including 137,000 Social Security numbers. The university’s Innovation Center also was hacked, leading to the exposure of intellectual property files, e-mails and Social Security numbers.

Two OU computer-system administrators lost their jobs after a report found they failed to protect the confidential information.

One Response to “Compromised: University Suffers Breach”

Leave a Reply

You must be logged in to post a comment.