http://www.athensnews.com/issue/article.php3?story_id=25220 By Jim Phillips Athens NEWS Senior Writer 2006-06-12 Ohio University has spent more than $77,000 sending letters to alumni and students affected by a computer security breach. It's harder to put a price tag on the blow to alumni goodwill, as the number of people affected by hacking of OU computer databases continues to rise with the discovery of new hacking incidents. "This is damaging OU's reputation far more than its drunk football coach, magazine pictorials or its #2 party-school ranking, and you can tell (OU President Roderick) McDavis that this really sucks. A lot!" wrote one incensed alum May 10. Another signed off his May 3 e-mail with, "You incompetent f---ing a--holes. I will never donate a penny to you." After announcing two computer security breaches in May, OU got hundreds of e-mails from alums regarding the issue. The Athens NEWS has examined more than 600 of them, provided by the university in response to a records request. The great majority were simply requests for information, trying to learn whether the sender's personal data were accessed by the hackers, and to get more detailed guidance on what to do if they were. A number of writers, however, expressed anger, frustration and in some cases, a distinct reluctance to donate any more money to OU. "It was my intention to leave a sizable endowment to OU, but not any longer," announced one. "My husband has graciously given to the university's alumni association many times; we will now think twice before we do it again," warned another. Other comments along these lines include: "I am disgusted with you and will NEVER do anything to help you financially." "I will definitely be reflecting on this incident the next time I receive an appeal for a donation to OU." "I have donated to the university for many years, but this shortcoming, and other matters having to do with the university, make me hesitant to make further contributions." Some alums questioned why OU keeps Social Security numbers on long-gone graduates, including those who haven't been donors. Some asked to have their data removed from OU computers - a request the university promptly grants. Dozens wanted to know if OU will cover the expenses they rack up in taking precautions against identity theft, or financial losses if they're the victim of such thefts. A handful talked about lawsuits, and one alum simply sent OU a bill. Molly Tampke, interim vice president for university advancement, admitted last week that she can't gauge how the alumni perception of the computer data breaches will affect giving to OU. Tampke acknowledged that the incidents seem to have undermined alumni confidence in some cases, but she continued to hold out hope that alums will look past the problems when it comes time to open their checkbooks. "It does concern me that alumni would feel like they couldn't trust us," Tampke said. "In terms of long-term effects for financial support, I don't think we know. But I think ultimately people believe in us, and want to support Ohio University... I don't want to look cavalier by any means, but I believe in the loyalty of our alums." THE PICTURE JUST GOT darker, however. While investigating the previous cases in which hackers gained access to personal data - including Social Security numbers - on close to 200,000 students and alums, OU recently found two more such incidents. These affect the personal data of about 2,480 university subcontractors and an additional 4,900 current and former students. According to a story in the Columbus Dispatch Saturday, the latest hackings put OU at the top of universities nationally for the amount of computer data stolen, well ahead of the next school on the list, the University of Southern California. More than one alum correspondent has questioned the competency of those watching over OU's data cache, and one question in particular keeps coming up in the e-mails sent by alums: Why did you have my Social Security number on file, anyway? "I'm trying to fathom a situation in which a serious breach of Social Security numbers could occur and not be discovered for 13 months," wrote one alum who works in fraud and compliance for Microsoft. "How could this possibly happen without utter rank incompetence and a carefree attitude toward data security?... I hope your IT staff was fired." Another writer noted that "the trend across the country is to de-link Social Security numbers from other important identifying information" in computer databases. Tampke said the reason for holding the numbers is "primarily to track lost alumni." When an alum moves and doesn't leave a forwarding address, she said, OU will give the person's Social Security number to a tracking service, to find the new residence. Given the risk of data theft, is this convenience worth it? "That's a good question," Tampke said, adding that the issue is "something that we want to sit down and have a very structured conversation about," once the university has the fallout from the hacking cases under control. A recent internal memo on OU's damage-control efforts estimates that the university has spent approximately $77,090 on printing and mailing almost 244,000 letters to alums and donors affected by the security breaches. OU has sent out close to 126,000 e-mails in connection with the incidents as well, the memo shows. Tampke said these numbers should be pretty much up to date, and that the volume of correspondence over the case has ebbed considerably. "It's tapered off a lot," she said. "We're not getting nearly so many e-mails. I got maybe three letters this week." Some of the e-mails received by OU, however, suggest that the story is far from over. Dozens of writers have hinted - or come right out and said - that OU should pick up the tab for any credit-monitoring services affected alums have to pay for, or any losses they suffer through identity theft. A smaller number have implied, with varying degrees of specificity, that they may take the matter to court. "If there is any financial damage or compromise to my other accounts stemming from this breach of security, I will hold Ohio University at fault and seek legal counsel to recover any and all loss, with punitive damages," one alum threatened. "I will further network with my other alumni to seek a class-action suit for the same." OU has responded to questions about money liability with a standard statement, which says that before OU would cover any losses related to identity theft, it "would need some sort of definitive evidence that an individual had experienced financial liability not otherwise remedied by the laws that protect victims of identity theft and that such harm had occurred as a direct result of this particular database system compromise rather than a similar compromise of some other organization's system in which the individual might also have a record." Some alums have called this a dodge. "As far as proving that identity theft was a direct result of your system 'compromise,' you know as well as anyone that you cannot prove that it was the only place that information could have been received," one writer complained. Barb Nalazek, OU's assistant legal affairs director, said that while it may seem unfair to require an alum to prove that an identity theft stemmed from OU's computer breach and not some other hacking incident, in today's world of widespread data theft, this is only realistic. "We're seeing breaches all the time," she said. "I don't want to sound like I'm making excuses, but you really have to say, 'Do you really know that no other company that has all that information on you didn't breach that?'... It sounds like an excuse, but it's true." On the expense issue, Nalazek noted that there are a few companies that will provide one free 90-day credit watch per year. By using all of these companies, she said, a person can keep an ongoing watch on his or her credit record, "and it doesn't cost anything... For what is an appropriate sort of due diligence, it really is something we all should be doing, and there doesn't have to be any financial cost." As for losses incurred through identity theft, Nalazek pointed out that the law already limits a person's individual financial liability in the case of, say, misuse of a credit card. "As long as you're monitoring your credit-card statements, your liability is extremely limited," she said. No one, apparently, has yet sued OU over the security breach, but the e-mails contain a handful of veiled threats, not-so-veiled threats, and queries on this issue. "Is there already a class-action lawsuit against Ohio University at this time?" asked one alum. "Like many of my classmates, I'm also investigating Ohio University's potential criminal and civil liability," noted another. "If there is a lawsuit, believe me I will happily join it," announced a third. Nalazek confirmed that the idea of a class-action suit has apparently crossed the mind of more than one OU alum, but said she knows of no organized effort to file one. "It's certainly not that we haven't heard those two words bandied about by people contacting us," she acknowledged. "But as far as that happening, there's nothing that we know of." One resourceful alum dispensed with hints, threats and allegations, and simply billed OU for the time she spent checking her credit status. Calling the university "fully liable" for her outlay of time, she e-mailed an invoice for three hours of work at her "usual billing rate" of $165 an hour. In its latest response, OU Legal Affairs Director John Burns has contacted the firm the woman works for, asking for confirmation of her hourly rate. "(The alum's) hourly compensation claim is unique so far, and I am not sure what Ohio University's decision will be," Burns states in a June 1 e-mail. Not everyone who expressed an e-mail opinion about the data breach was outraged. Some were understanding, a few sympathetic. One was nearly whimsical. "Please stop giving my information to identity thieves," the alum asked politely. "Thank you for your consideration." In a postcript he added, "I would give you the rest of my contact information, but I am afraid it would be stolen." _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jun 13 2006 - 05:16:19 PDT