Ohio University suffers security breaches

Data thieves may have plundered Social Security numbers and other private information--including health records--belonging to students and faculty at Ohio University following three separate computer intrusions at the school.

According to a message posted on the school's Web site, more than 200,000 people may have been victimized, including past and present students as well as school employees.

Administrators also suggested that more thefts may be uncovered as investigators continue to review computer systems campuswide.

While this is only the latest in a long string of electronic attacks on the nation's universities, the case appears to be unprecedented because of the number of data thefts discovered at one time at one school.

As part of its investigation, the university said on its Web site, it has sought the help of the FBI, forensic consultants and other universities that have suffered similar intrusions "to improve the security of data and IT resources" throughout the university.

"E-mails and letters have been or are being sent to all constituents whose personal information may have been compromised," the school said in a statement.

Last month, the FBI alerted the university's administration that a server within the school's Technology Transfer Department had been compromised. Little personal information was believed to be lost in that breach, but a second breach was found three days later on April 24.

The school's electronic-security team discovered that a server within alumni relations had been commandeered and was being used in a denial of service attack. The Social Security numbers of about 137,000 people were stored in that server.

On Thursday, the school announced that it had found a third intrusion at its health center involving 60,000 people including all current students as well as some school faculty.

In addition to Social Security numbers, the compromised server in the health department held health records.

Last month, a 25-year-old San Diego man was charged with hacking into the University of Southern California's online application system and nabbing personal data from prospective students.

In January, the University of Notre Dame began investigating an electronic break-in that may have exposed the personal and financial information of school donors.

[Mr. Network]

Lovely more bad news from Ohio

you never hear anything good about Ohio. If you lived there you'd know why.

[marileev]

New @ Frosh Orientation-ID Theft 101

Universities and Financial Institutions seem to be the biggest entities plagued by ID theft. Maybe higher ed should have a new seminar during Freshmen Orientation - ID Theft 101: protect your info, because we can't.
<a class="jive-link-external" href="http://www.iwantmyess.com/?p=53" target="_newWindow">http://www.iwantmyess.com/?p=53</a>

[Stating]

Decades Of Using SSN As Student ID#

Anyone who went to college within the past few decades, or took a night class at a community college, is at risk from the educational institution. The only way to put a stop to this is to pass a Federal law that requires these institutions to expunge all traces of SSNs from student/alum databases and replace them with made-up student IDs. Alums should refuse to make donations to their alma until their SSNs are expunged. After a few months of donor draught, these institutions would quickly make the necessary changes.

[fakespam]

Windows XP

According to Netcraft, these guys are running Windows on the
server.

So, they get what they wanted by using an insecure OS.

Argue this point, please. Also argue here:

<a class="jive-link-external" href="http://www.network54.com/Forum/7505/" target="_newWindow">http://www.network54.com/Forum/7505/</a>

[Unreal City]

Can you reference the Netcraft info?

Since Windows XP is a client OS, I doubt they're using it as a server. And if it's an older OS, the story from other sources is that they thought it was offline, so they wouldn't have kept up with patches and such.