Saturday, May 19, 2007
Hackers, laptop thieves compromise personal information of 17,500 at Ohio State in separate incidents
Hackers, laptop thieves compromise personal information of 17,500 at Ohio State in separate incidents
Frank Washkuch Jr. Apr 18 2007 18:39
Two separate incidents — both resulting in data breaches — have left the personal information of 17,500 Ohio State University students, faculty members and staff compromised.
On March 31 or April 1, a hacker using a foreign web address cracked a university firewall and accessed the names, Social Security numbers, employee ID numbers and birth dates of more than 14,000 current and former staff members, according to a university statement.
The university sent letters to affected personnel, who were offered a year of free credit protection.
Of the victims, nearly 7,000 are current staff members, while more than 7,100 are former university employees.
The university, on discovering the breach on April 2, blocked access to the exposed database and informed state and federal law enforcement authorities.
University spokesman Jim Lynch told SCMagazine.com today that experts from Cybertrust have been hired to investigate the hacking.
In an unrelated incident, the personal information of about 3,500 current and former chemistry students was compromised when two laptop computers were stolen from the home of a university professor on Feb. 24.
The laptops were likely not the target of the burglary, and were stolen with a number of other household items, according to Lynch.
Records stored in the laptops contained names, Social Security numbers and grades, according to the university.
Lynch said it’s likely the laptops may have been stolen by thieves not interested in or aware of the personal information contained on them. He was unsure whether the data was encrypted.
Ennio Carboni, director of product management at Ipswitch, told SCMagazine.com today that college students are an alluring target for attackers because their credit is often flawless.
"I think it’s very tactical by the hackers. We’re talking about a university with thousands and thousands of Social Security numbers with not a lot of established credit, so they can get those and other information to open up lines of credit," he said. "When hackers steal information from a large population of adults, it can be good credit and it can be bad credit. With college students, it’s fresh; they haven’t defaulted on home loans or anything like that."
Ohio State is the last in a growing line of education institutions to suffer a data breach.
Late last month, hackers compromised a server to access the personal information of 46,000 students, faculty members and staff of the University of California, San Francisco.
Its sister school, the University of California, Los Angeles, discovered in December of last year that a hacker had been exploiting an undetected security hole in a school database for more than a year. The network contained the personal information of 800,000 people, including current and former students, faculty, staff and applicants.
Last month, Texas A&M University alerted nearly 100,000 network users to change passwords after hackers attempted to access university accounts.
Ohio University sent out more than 300,000 notices in May 2006 after a server breach.
The University of Arizona and the University of Texas at Austin are other high-profile college breach victims.
Frank Washkuch Jr. Apr 18 2007 18:39
Two separate incidents — both resulting in data breaches — have left the personal information of 17,500 Ohio State University students, faculty members and staff compromised.
On March 31 or April 1, a hacker using a foreign web address cracked a university firewall and accessed the names, Social Security numbers, employee ID numbers and birth dates of more than 14,000 current and former staff members, according to a university statement.
The university sent letters to affected personnel, who were offered a year of free credit protection.
Of the victims, nearly 7,000 are current staff members, while more than 7,100 are former university employees.
The university, on discovering the breach on April 2, blocked access to the exposed database and informed state and federal law enforcement authorities.
University spokesman Jim Lynch told SCMagazine.com today that experts from Cybertrust have been hired to investigate the hacking.
In an unrelated incident, the personal information of about 3,500 current and former chemistry students was compromised when two laptop computers were stolen from the home of a university professor on Feb. 24.
The laptops were likely not the target of the burglary, and were stolen with a number of other household items, according to Lynch.
Records stored in the laptops contained names, Social Security numbers and grades, according to the university.
Lynch said it’s likely the laptops may have been stolen by thieves not interested in or aware of the personal information contained on them. He was unsure whether the data was encrypted.
Ennio Carboni, director of product management at Ipswitch, told SCMagazine.com today that college students are an alluring target for attackers because their credit is often flawless.
"I think it’s very tactical by the hackers. We’re talking about a university with thousands and thousands of Social Security numbers with not a lot of established credit, so they can get those and other information to open up lines of credit," he said. "When hackers steal information from a large population of adults, it can be good credit and it can be bad credit. With college students, it’s fresh; they haven’t defaulted on home loans or anything like that."
Ohio State is the last in a growing line of education institutions to suffer a data breach.
Late last month, hackers compromised a server to access the personal information of 46,000 students, faculty members and staff of the University of California, San Francisco.
Its sister school, the University of California, Los Angeles, discovered in December of last year that a hacker had been exploiting an undetected security hole in a school database for more than a year. The network contained the personal information of 800,000 people, including current and former students, faculty, staff and applicants.
Last month, Texas A&M University alerted nearly 100,000 network users to change passwords after hackers attempted to access university accounts.
Ohio University sent out more than 300,000 notices in May 2006 after a server breach.
The University of Arizona and the University of Texas at Austin are other high-profile college breach victims.
Labels: Ohio State Univ.
Tuesday, April 17, 2007
Hacker, thieves get OSU ID data
Hacker, thieves get OSU ID data
About 14,000 faculty and staff and 3,500 students affected
Monday, April 16, 2007 11:43 PM
By Bill Bush
The Columbus Dispatch
A hacker broke into an Ohio State University computer two weekends ago and stole the names, Social Security numbers, employee ID numbers and birth dates of more than 14,000 current and former faculty and staff members, the university said today.
And in a separate incident, the same information about 3,500 OSU chemistry students dating back a decade — including Social Security numbers and grades — were on two laptops stolen from the home of a professor in late February, the university said.
Ohio State apologized in letters sent Saturday to the staff and students whose information was stolen, university spokesman Jim Lynch said. Those affected will be offered a year of free credit protection from a private company to help them guard against the criminal misuse of their identities, he said.
In the case of the staff's information, Lynch said, someone using a foreign Internet address broke through a computer firewall the weekend of March 31-April 1 and accessed more than 14,000 records from an Office of Research database of about 190,000 current and former university employees.
Allan Silverman, chairman of the Faculty Council that represents OSU faculty members, said he will start looking into the matter. One of the first questions he wants answered is why the Office of Research, which works to obtain research grants, had that database.
Silverman said he doesn't know yet if his name and personal information were accessed.
"It's a surprise," he said. "It's unfortunate."
The breach was discovered on Monday, April 2, and steps were immediately taken to block access to the data. The office discovered the intrusion involving 7,160 former and 6,934 current faculty and staff members during a routine review of daily activity logs, the university said.
"This was a malicious attack," Lynch said.
The breach involving chemistry students took place Feb. 24, when the home of professor Robert Coleman was burglarized. Coleman said he had transferred the contents of one laptop onto a new laptop just before they were both stolen, along with jewelry, watches, a shotgun and other items from his house.
"They stole a lot more than the computers," Coleman said. "We called 911 as soon as we got home."
The information on the laptops didn't just concern students, Coleman said. They also contained federal grant reports that list the names and Social Security numbers of post-doctoral students and a few undergraduate students working under the grants, Coleman said.
"All of those forms are electronic and would be stored in annual reports," Coleman said.
Also, "in a couple of cases, they were staff evaluations of people I was the supervisor for," Coleman said.
But the vast majority of the information on the laptops was class rosters, including the students' Social Security numbers, Coleman said.
Lynch said university officials worked as quickly as they could to get to the point of being able to notify the victims. Ohio law requires state agencies to notify the victims of computer security breaches within 45 days of the discovery, he said.
"It took us several weeks to identify what records were on (Coleman's) computer," Lynch said.
The university is currently reviewing which records available to staff should use Social Security numbers as personal identifiers, Lynch said.
Universities have been the targets of thieves seeking to steal identities because the schools commonly use Social Security numbers as identifiers, experts have said.
Last year, Ohio University in Athens discovered three major breaches in a matter of months. In one, hackers accessed the Social Security numbers of 137,000 alumni.
In December, UCLA announced that a database containing 800,000 files of personal information, including Social Security numbers, had been accessed.
About 14,000 faculty and staff and 3,500 students affected
Monday, April 16, 2007 11:43 PM
By Bill Bush
The Columbus Dispatch
A hacker broke into an Ohio State University computer two weekends ago and stole the names, Social Security numbers, employee ID numbers and birth dates of more than 14,000 current and former faculty and staff members, the university said today.
And in a separate incident, the same information about 3,500 OSU chemistry students dating back a decade — including Social Security numbers and grades — were on two laptops stolen from the home of a professor in late February, the university said.
Ohio State apologized in letters sent Saturday to the staff and students whose information was stolen, university spokesman Jim Lynch said. Those affected will be offered a year of free credit protection from a private company to help them guard against the criminal misuse of their identities, he said.
In the case of the staff's information, Lynch said, someone using a foreign Internet address broke through a computer firewall the weekend of March 31-April 1 and accessed more than 14,000 records from an Office of Research database of about 190,000 current and former university employees.
Allan Silverman, chairman of the Faculty Council that represents OSU faculty members, said he will start looking into the matter. One of the first questions he wants answered is why the Office of Research, which works to obtain research grants, had that database.
Silverman said he doesn't know yet if his name and personal information were accessed.
"It's a surprise," he said. "It's unfortunate."
The breach was discovered on Monday, April 2, and steps were immediately taken to block access to the data. The office discovered the intrusion involving 7,160 former and 6,934 current faculty and staff members during a routine review of daily activity logs, the university said.
"This was a malicious attack," Lynch said.
The breach involving chemistry students took place Feb. 24, when the home of professor Robert Coleman was burglarized. Coleman said he had transferred the contents of one laptop onto a new laptop just before they were both stolen, along with jewelry, watches, a shotgun and other items from his house.
"They stole a lot more than the computers," Coleman said. "We called 911 as soon as we got home."
The information on the laptops didn't just concern students, Coleman said. They also contained federal grant reports that list the names and Social Security numbers of post-doctoral students and a few undergraduate students working under the grants, Coleman said.
"All of those forms are electronic and would be stored in annual reports," Coleman said.
Also, "in a couple of cases, they were staff evaluations of people I was the supervisor for," Coleman said.
But the vast majority of the information on the laptops was class rosters, including the students' Social Security numbers, Coleman said.
Lynch said university officials worked as quickly as they could to get to the point of being able to notify the victims. Ohio law requires state agencies to notify the victims of computer security breaches within 45 days of the discovery, he said.
"It took us several weeks to identify what records were on (Coleman's) computer," Lynch said.
The university is currently reviewing which records available to staff should use Social Security numbers as personal identifiers, Lynch said.
Universities have been the targets of thieves seeking to steal identities because the schools commonly use Social Security numbers as identifiers, experts have said.
Last year, Ohio University in Athens discovered three major breaches in a matter of months. In one, hackers accessed the Social Security numbers of 137,000 alumni.
In December, UCLA announced that a database containing 800,000 files of personal information, including Social Security numbers, had been accessed.
Labels: Ohio State Univ.
