[ISN] Hacker gets private data on students at Ohio University

From: InfoSec News (isn@private)
Date: Fri May 12 2006 - 01:11:56 PDT


Associated Press
May. 11, 2006

ATHENS, Ohio - Private information for all students enrolled at Ohio
University since fall 2001 was stolen in the third electronic security
breach discovered in three weeks, the school reported Thursday.

It was the first time Social Security numbers and other private
information for current students was compromised in the data thefts.  
The FBI found and alerted the school to the first breach last month,
and two more have been discovered in the university's own review of
all its systems.

More breaches could be found as 20 employees working seven-day weeks
continue the review, which could take another 10 days to finish, said
Bill Sams, head of information technology. "We're going through every
system from top to bottom," he said.

Names, birth dates, Social Security numbers and medical information
for 60,000 people were accessed in records at the school's Hudson
Health Center, the university discovered last Thursday. The student
clinic has records on all Athens campus students dating back to 2001,
plus faculty, workers and regional campus students who sought
treatment there.

As it did with the previous thefts, the university sent e-mails
Thursday to the affected people and will follow up with letters.

The alerts couldn't be sent to students earlier because names in the
database couldn't be accessed while the school backed it up to
preserve evidence and rebuilt it with proper security, Sams said.

The university reported two data thefts within three days of each
other in late April. Someone gained unauthorized access to records on
more than 300,000 people and organizations in the alumni relations
department, including 137,000 Social Security numbers, and to a server
at the school's business incubator that contained e-mails and patent
and intellectual property files.

After those thefts, the university set up a Web site and hot line,
(740) 566-7448 or (800) 901-2303, with tips on how to prevent
fraudulent use of personal information.

The school also has hired a security consultant.

"Given the breadth and the number of these we are operating under the
assumption that we've got to make major changes very quickly," Sams

Ohio University also has called other schools that had breaches,
including Miami University in Oxford in southwest Ohio. Miami reported
in September that someone had accidentally posted a grade report that
included student names and Social Security numbers on a site
accessible by the Internet.


Ohio University data theft: http://www.ohiou.edu/datatheft

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Fri May 12 2006 - 01:44:24 PDT