3 Universities Knocked by Security Breaches

• By Dian Schaffhauser
• 01/12/11

Over the last two months, three American universities have been mopping up from data breaches, the largest--at Ohio State University--affecting 760,000 people. The University of Wisconsin-Madison's security incident involved 60,000 people; and a St. Louis University breach affected staff employed by the university for five years or longer.

During a "routine" IT security review in late October 2010, Ohio State discovered that unauthorized people had logged onto a server that contained information on current and former faculty, students and staff, applicants, and others with university ties. That data included name, Social Security number (SSN), date of birth, and address. A forensic investigation led security experts to conclude that the access was set up to launch cyber attacks against other businesses on the Internet and that no records were actually taken.

The server was isolated to prevent further access, and the university sent out letters in mid-December to those affected. The delay in reporting the breaches to victims, according to a FAQ, was owing to activities related to the assessment of the incident, verification of names and addresses, setting up a credit monitoring protection service, and establishing a hotline with trained operators to handle follow-up communications.

"Although we firmly believe that this incident has not and will not result in identity theft, we are exercising an abundance of caution and will notify affected individuals," the university wrote in a public Web page. The university set up a credit protection service with Experian Consumer Direct for people whose personal information was maintained on the server.

About the same time that Ohio State had discovered its breach, so did U Wisconsin-Madison. According to news coverage on the university's Web site, the Wisconsin Union, the social heart of the university, which manages the campus ID card system, realized that a database within its system had been hit by cybercriminals. One of the files in the database contained dated university photo IT numbers with embedded SSNs and cardholder names.

The institution said it had stopped issuing these cards in 1998. But an examination of the files showed that the database had been compromised in 2008 and accessed "numerous times" in subsequent months. "However, system logs do not show file transfers that would suggest the affected database was downloaded," the university reported.

As follow-up, the university said it has done a check on all Wisconsin Union networks to make sure they're sitting behind a firewall, deployed network intrusion detection, and implemented a vulnerability identification program. Also, all records containing SSNs in the database have been taken offline.

In this case, the university didn't set up a credit-checking service, opting to notify those affected by letter with the recommendation that they use a free credit-reporting service, among other suggestions. As U Wisconsin-Madison stated on its Web site, "This incident illustrates the continuing security challenge the university faces with on an ongoing basis. The university will continue to upgrade its security to avoid similar such situations in the future."

A far less public incident struck St. Louis U in mid-December. According to news station KSDK, university Vice President and CIO Tim Brooks issued a letter to faculty, staff, and students that the school was "working around the clock" to investigate a breach of its campus network. Brooks wrote in the letter, "Although we're still investigating this matter, we didn't want to wait to notify you about what we're doing...." He added that the breach appeared to affect only those individuals who had been employed at St. Louis U for five or more years.

The university informed the FBI and hired a security firm to help with the investigation. Brooks also said the school was exploring options for setting up free ID theft protection for those who might have been affected.