3 Universities Knocked by Security Breaches

Over the last two months, three American universities have been mopping up from data breaches, the largest--at Ohio State University--affecting 760,000 people. The University of Wisconsin-Madison's security incident involved 60,000 people; and a St. Louis University breach affected staff employed by the university for five years or longer.

During a "routine" IT security review in late October 2010, Ohio State discovered that unauthorized people had logged onto a server that contained information on current and former faculty, students and staff, applicants, and others with university ties. That data included name, Social Security number (SSN), date of birth, and address. A forensic investigation led security experts to conclude that the access was set up to launch cyber attacks against other businesses on the Internet and that no records were actually taken.

The server was isolated to prevent further access, and the university sent out letters in mid-December to those affected. The delay in reporting the breaches to victims, according to a FAQ, was owing to activities related to the assessment of the incident, verification of names and addresses, setting up a credit monitoring protection service, and establishing a hotline with trained operators to handle follow-up communications.

"Although we firmly believe that this incident has not and will not result in identity theft, we are exercising an abundance of caution and will notify affected individuals," the university wrote in a public Web page. The university set up a credit protection service with Experian Consumer Direct for people whose personal information was maintained on the server.

About the same time that Ohio State had discovered its breach, so did U Wisconsin-Madison. According to news coverage on the university's Web site, the Wisconsin Union, the social heart of the university, which manages the campus ID card system, realized that a database within its system had been hit by cybercriminals. One of the files in the database contained dated university photo IT numbers with embedded SSNs and cardholder names.

The institution said it had stopped issuing these cards in 1998. But an examination of the files showed that the database had been compromised in 2008 and accessed "numerous times" in subsequent months. "However, system logs do not show file transfers that would suggest the affected database was downloaded," the university reported.

As follow-up, the university said it has done a check on all Wisconsin Union networks to make sure they're sitting behind a firewall, deployed network intrusion detection, and implemented a vulnerability identification program. Also, all records containing SSNs in the database have been taken offline.

In this case, the university didn't set up a credit-checking service, opting to notify those affected by letter with the recommendation that they use a free credit-reporting service, among other suggestions. As U Wisconsin-Madison stated on its Web site, "This incident illustrates the continuing security challenge the university faces with on an ongoing basis. The university will continue to upgrade its security to avoid similar such situations in the future."

A far less public incident struck St. Louis U in mid-December. According to news station KSDK, university Vice President and CIO Tim Brooks issued a letter to faculty, staff, and students that the school was "working around the clock" to investigate a breach of its campus network. Brooks wrote in the letter, "Although we're still investigating this matter, we didn't want to wait to notify you about what we're doing...." He added that the breach appeared to affect only those individuals who had been employed at St. Louis U for five or more years.

The university informed the FBI and hired a security firm to help with the investigation. Brooks also said the school was exploring options for setting up free ID theft protection for those who might have been affected.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • abstract pattern with interconnected blue nodes and lines forming neural network shapes, overlaid with semi-transparent bars and circular data points

    Data, AI Lead Educause Top 10 List for 2025

    Educause recently released its annual Top 10 list of the most important technology issues facing colleges and universities in the coming year, with a familiar trio leading the bunch: data, analytics, and AI. But the report presents these critical technologies through a new lens: restoring trust in higher education.

  • stylized illustration of a portfolio divided into sections for career training

    St. Cloud State University Adds Four Tech Bootcamps via Upright Partnership

    To meet the growing demand for tech professionals in the state, Minnesota's St. Cloud State University is partnering with Upright to launch four career-focused bootcamps that will provide in-demand skills in software development, UX/UI design, data analytics, and digital marketing.

  • digital bookshelf displayed on a computer screen

    OverDrive, Ex Libris Integration Streamlines Discovery of Digital Content

    OverDrive, a provider of digital resources for schools and libraries, has announced an integration with library management provider Ex Libris that will allow academic institutions to discover the former's e-books and audiobooks within the Alma and Primo library services platforms.

  • Man wearing headset working on a computer

    Internet2: Network Routing Security and RPKI Adoption in Research and Education

    We ask James Deaton, vice president of network services, about Internet2's initiatives and leadership efforts to promote routing security and RPKI adoption in research and higher education networks.