- eCampus News - https://www.ecampusnews.com -

Ohio State reports massive network security breach

[1]
OSU hired computer forensic experts to investigate the school's security breach.

Social Security numbers, dates of birth, and other personal information for about 760,000 current and former Ohio State University (OSU) students were accessed by unauthorized network users in October, although campus IT staff haven’t found evidence that any information was taken, according to an OSU statement.

The university went public with news [2] of the breach Dec. 15, promising to provide free credit protection services for anyone whose name, Social Security number, birth date, or address was listed on the server that was accessed without the campus’s consent.

More recent news about security breaches:

University faces lawsuit after security breach [3]

‘Do Not Track’ tool could enhance online privacy [4]

University posts info of 40K students [5]

The university created a website for people eligible for credit protection. The school’s statement said OSU applicants were among people listed in the massive database.

The school’s statement [2] said the server did not include records for patients at OSU’s Medical Center.

OSU discovered the security lapse in late October and hired “the nation’s best computer forensic consultants” to search the school’s network and check what, if anything, had been taken from university records.

In late November, after a month of investigation, the forensic consultants told OSU officials that “there was no evidence that any data were taken out of the system by unauthorized individuals,” according to the school’s statement. “The experts did find evidence that the purpose of the unauthorized access was to launch cyber attacks.”

“We are committed to maintaining the privacy of sensitive information and continually work to enhance our systems and practices to reduce the likelihood of such events occurring,” said Joseph Alutto, Ohio State’s provost.

Michael Maloof, chief technology officer for information management company TriGeo Network Security, said universities’ penchant for collecting and keeping sensitive information will continue to attract online hackers looking for databases rich with valuable information.

“The vast accumulation of data is exactly why higher education is such a lucrative target for attacks,” Maloof said, adding that constant monitoring could be the only way for college IT officials to fend off hackers. “Real-time monitoring of sensitive systems and data can spot suspicious behavior, either from inside or outside the organization, while there’s still time to act.”

Most importantly, Maloof said, campus technologists should ensure that the institution’s most sensitive data is encrypted.

“Both data in transit – especially across open university networks – and data at rest should be encrypted so that a breach will have little chance of capturing massive amounts of usable information,” he said.

The scale of OSU’s network breach separates the incident from other security compromises in higher education.

Although no personal information was stolen, the 760,000 people listed on the server is more than faculty, staff, and student records stolen in all U.S. colleges and universities last year.

Hackers stole information from about 600,000 people in higher education in 2009, according to a report [6] published by Identity Theft 911, an Arizona-based company founded by consumer advocates and experts from the financial industry and law enforcement.

Twenty-seven American colleges and universities saw personal records stolen in the first seven months of 2009, and the Identity Theft 911 report concludes that a “sprawling profusion” of disparate computer networks and servers–each with a different security policy–makes IT departments “powerless to enforce any standards,” meaning student grades, credit information, and Security Social numbers remain vulnerable.

A bevvy of IT security breakdowns were reported [7] at several large universities last summer.

At least three universities—the University of Maine [8], Penn State University [9], and Florida International University [10]—reported data breaches in June that compromised Social Security numbers, academic and financial records, and other information for about 40,000 students and faculty across the three institutions.

These universities and others that have scrambled to alert faculty and students of data crimes in recent years are not alone, according to research from the Identity Theft Resource Center [11], a San Diego-based nonprofit organization.

The number of reported data breaches in schools and colleges increased from 111 in 2007 to 131 in 2008, according to a 2009 report released by the center.

Data-security crimes jumped by 47 percent overall between 2007 and 2008, according to the research.

Florida International University joined the ranks of compromised campuses when officials said more than 19,000 students and faculty [12] had their information exposed on an “unsecure database” identified in May. The school announced June 22 that the information “is now secure.”

The database, according to the university, was used “in connection” with the College of Education students’ eFolio software application, which captures information such as test scores, grades, and other “data elements.”

Personal information for 88 faculty members also was exposed in the data breach, according to Florida International [12].

Penn State University [13] sent letters to 15,806 people whose personal information—including Social Security numbers—was exposed when a computer in the campus’s Outreach Market Research and Data office was compromised by a “bot.”

A group of bots, or “botnet,” as they’re known, is a network of compromised computers controlled by malicious software programs that exploit web browser vulnerabilities and a host of other security holes in a personal computer.

IT security experts said colleges’ commitment to an open network and unwillingness to restrict web use has made campuses a hotbed for hackers trolling for personal information.

Adam Levin, chairman and cofounder of Identity Theft 911, said colleges’ decentralized IT systems combined with an open network are “a recipe for the disaster we’ve experienced.”

Thousands of students connected to online social networks and file-sharing web sites endanger the entire IT infrastructure, Levin said.

“When you’re downloading Madonna, you could also be downloading” malware that could spread throughout a campus IT network, he said.