Ohio State University has experienced two information security breaches since late February, but the number of people affected doesn't compare to the data theft Ohio University experienced almost one year ago.
On Feb. 24, two laptops containing names and social security numbers of approximately 3,500 current and former chemistry students were stolen from an OSU professor's home. During the weekend of April 1, names, social security numbers and other personal information belonging to 14,094 current and former OSU faculty and staff were stolen from a server belonging to OSU's Office of Research.
The records stolen by the hacker were among 190,000 kept on the Office of Research server, which was accessed from outside the country.
Last spring, several OU servers were accessed by hackers, exposing more than 360,000 alumni donor and medical records to theft.
OSU notified those affected in its latest breach on April 14.
The university was able to close the security breach immediately (upon discovering it)
said Jim Lynch, OSU's director of Media Relations. The university feels terrible that this has happened.
OSU has employed Cybertrust of Herndon, Va., an information security consulting firm, to investigate the most recent theft and prepare an incident report. Local, state and federal agencies are also involved, Lynch said.
Cybertrust spokeswoman Laura Wooster confirmed that OSU is a client of the company, but said she couldn't comment further.
Approximately a dozen people work on OSU's information security team, Lynch said, adding it has formed a security incident response team to deal with the issue.
OSU's security team noticed the suspicious activity on April 2, during a review of network activity logs, and reported that a hacker had broken through a firewall ' a piece of software designed to prevent malicious access of a computer ' to access the database.
Generally, it takes more expertise for a hacker to break through a firewall than access a computer without one, said Ed Carter, senior network security analyst at OU.
No machine whether it is behind a firewall or outside a firewall is absolutely secure
Carter said.
Firewalls were not in place at OU last spring, when it was discovered that 360,000 OU records had been exposed to hackers. After that incident, the university deployed firewalls, fired two senior IT managers and its chief information officer resigned.
OSU is offering a free, yearlong credit protection through an Equifax Gold membership to people affected in both its security incidents. One month of the service costs $9.95 per person. Lynch would not say how much the offer cost OSU.
Two OU alumni filed a class-action lawsuit against the university on June 23, 2006, demanding OU pay for credit monitoring services and any costs associated with identity theft as a result of the security breaches. The case is ongoing and the university has not paid for credit monitoring services for those affected by the breach.
There is no proof that anyone actually saw
much less copied or used
any of those numbers (social security numbers)
reads a motion to dismiss the case filed by the university. The document also notes the university notified the appropriate agencies, affected individuals and provided information on preventing identity theft after the incidents occurred.
University officials knowledgeable about the case were not available for comment yesterday.
17
Archives
Dave Hendricks
