Friday, August 04, 2006
Ohio University reports two separate security breaches
Ohio University reports two separate security breaches
Jaikumar Vijayan
May 03, 2006 (Computerworld) Ohio University this week disclosed two separate but apparently unrelated incidents of data theft involving its computers.
On April 24, IT officials at the university noticed that someone had hacked into an alumni database server containing personal and biographical information for more than 300,000 individuals and organizations, said Bill Sams, the Athens-based university’s CIO. Faculty and staff members hired by the school before January 2004 were also affected.
The compromised files did not include credit card or bank information, but they did include Social Security numbers for 137,800 individuals, Sams said.
The breach was discovered after IT officials noticed the affected server was being used to launch a denial-of-service attack against an external target, Sams said.
“We immediately took it off-line and got into the logs. We discovered that it had been compromised as far back as 2005,” he said. In the 13 months since the server was breached, “we have found that people have accessed it from both domestic and international IP addresses,” he said.
The compromised server was supposed to have been decommissioned more than a year ago, and IT officials assumed the system had been taken off-line, Sams said. As a result, it had not received any security updates and patches for more than a year. He did not disclose how the server was breached or what operating system was running on it.
The second data compromise involved a server at the Technology Transfer Department, which is part of the University’s Innovation Center. FBI officials told the university about that breach on April 21. The server, which contained patent data and intellectual property files, was apparently involved in another incident that the FBI was investigating, Sams said, without providing further details. The university had no idea that the server had been broken into until the FBI pointed it out, he said.
The FBI is currently investigating both incidents, he said.
Ohio University today started sending out e-mails to those affected by the hack of the alumni database server. “We are sending them at the rate of 10,000 an hour,” Sams said. He added that the University has also set up a Web site providing details about the incident and instructing affected individuals on the steps they can take to mitigate the risk of ID theft.
Jaikumar Vijayan
May 03, 2006 (Computerworld) Ohio University this week disclosed two separate but apparently unrelated incidents of data theft involving its computers.
On April 24, IT officials at the university noticed that someone had hacked into an alumni database server containing personal and biographical information for more than 300,000 individuals and organizations, said Bill Sams, the Athens-based university’s CIO. Faculty and staff members hired by the school before January 2004 were also affected.
The compromised files did not include credit card or bank information, but they did include Social Security numbers for 137,800 individuals, Sams said.
The breach was discovered after IT officials noticed the affected server was being used to launch a denial-of-service attack against an external target, Sams said.
“We immediately took it off-line and got into the logs. We discovered that it had been compromised as far back as 2005,” he said. In the 13 months since the server was breached, “we have found that people have accessed it from both domestic and international IP addresses,” he said.
The compromised server was supposed to have been decommissioned more than a year ago, and IT officials assumed the system had been taken off-line, Sams said. As a result, it had not received any security updates and patches for more than a year. He did not disclose how the server was breached or what operating system was running on it.
The second data compromise involved a server at the Technology Transfer Department, which is part of the University’s Innovation Center. FBI officials told the university about that breach on April 21. The server, which contained patent data and intellectual property files, was apparently involved in another incident that the FBI was investigating, Sams said, without providing further details. The university had no idea that the server had been broken into until the FBI pointed it out, he said.
The FBI is currently investigating both incidents, he said.
Ohio University today started sending out e-mails to those affected by the hack of the alumni database server. “We are sending them at the rate of 10,000 an hour,” Sams said. He added that the University has also set up a Web site providing details about the incident and instructing affected individuals on the steps they can take to mitigate the risk of ID theft.
Labels: Ohio Univ.
Friday, June 02, 2006
Hackers access personal data at Ohio University over a period of 13 months
May 03, 2006 (Computerworld) -- Ohio University this week disclosed two separate but apparently unrelated incidents of data theft involving its computers.
On April 24, IT officials at the university noticed that someone had hacked into an alumni database server containing personal and biographical information for more than 300,000 individuals and organizations, said Bill Sams, the Athens-based university’s CIO. Faculty and staff members hired by the school before January 2004 were also affected.
The compromised files did not include credit card or bank information, but they did include Social Security numbers for 137,800 individuals, Sams said.
The breach was discovered after IT officials noticed the affected server was being used to launch a denial-of-service attack against an external target, Sams said.
“We immediately took it off-line and got into the logs. We discovered that it had been compromised as far back as 2005,” he said. In the 13 months since the server was breached, “we have found that people have accessed it from both domestic and international IP addresses,” he said.
The compromised server was supposed to have been decommissioned more than a year ago, and IT officials assumed the system had been taken off-line, Sams said. As a result, it had not received any security updates and patches for more than a year. He did not disclose how the server was breached or what operating system was running on it.
The second data compromise involved a server at the Technology Transfer Department, which is part of the University’s Innovation Center. FBI officials told the university about that breach on April 21. The server, which contained patent data and intellectual property files, was apparently involved in another incident that the FBI was investigating, Sams said, without providing further details. The university had no idea that the server had been broken into until the FBI pointed it out, he said.
The FBI is currently investigating both incidents, he said.
Ohio University today started sending out e-mails to those affected by the hack of the alumni database server. “We are sending them at the rate of 10,000 an hour,” Sams said. He added that the University has also set up a Web site providing details about the incident and instructing affected individuals on the steps they can take to mitigate the risk of ID theft.
On April 24, IT officials at the university noticed that someone had hacked into an alumni database server containing personal and biographical information for more than 300,000 individuals and organizations, said Bill Sams, the Athens-based university’s CIO. Faculty and staff members hired by the school before January 2004 were also affected.
The compromised files did not include credit card or bank information, but they did include Social Security numbers for 137,800 individuals, Sams said.
The breach was discovered after IT officials noticed the affected server was being used to launch a denial-of-service attack against an external target, Sams said.
“We immediately took it off-line and got into the logs. We discovered that it had been compromised as far back as 2005,” he said. In the 13 months since the server was breached, “we have found that people have accessed it from both domestic and international IP addresses,” he said.
The compromised server was supposed to have been decommissioned more than a year ago, and IT officials assumed the system had been taken off-line, Sams said. As a result, it had not received any security updates and patches for more than a year. He did not disclose how the server was breached or what operating system was running on it.
The second data compromise involved a server at the Technology Transfer Department, which is part of the University’s Innovation Center. FBI officials told the university about that breach on April 21. The server, which contained patent data and intellectual property files, was apparently involved in another incident that the FBI was investigating, Sams said, without providing further details. The university had no idea that the server had been broken into until the FBI pointed it out, he said.
The FBI is currently investigating both incidents, he said.
Ohio University today started sending out e-mails to those affected by the hack of the alumni database server. “We are sending them at the rate of 10,000 an hour,” Sams said. He added that the University has also set up a Web site providing details about the incident and instructing affected individuals on the steps they can take to mitigate the risk of ID theft.
Labels: Ohio Univ.
Repeated incidents at Ohio University
May 12, 2006 (Computerworld) -- University IT environments have gained considerable notoriety over the years for their relative lack of security. Recent incidents at Ohio University in Athens show just why.
Barely 10 days after disclosing two separate security breaches involving its computers, the university announced yet another incident in which sensitive data on one of its systems was illegally accessed by an unknown hacker. And there may be even more such disclosures to come as the university's IT department continues a sweeping security review of its networks and systems, warned CIO Bill Sams.
The latest incident involved a server supporting the university's Hudson Health Center. On May 4, the school's IT staff discovered that the system, which holds records of about 60,000 current and former students as well as some faculty and staff, had been infected with a virus.
Further investigation of the server showed that someone had hacked into the system and potentially accessed the data, Sams said. The compromised system contained data from the student health service, including information such as birth dates, Social Security numbers and clinical information. The system also contained data on individuals receiving counseling and psychological services, but in this case the data was restricted to Social Security numbers, dates of birth and dates of service.
Sams did not elaborate on how the hack occurred or whether it was perpetrated by an insider or an external attacker.
"The software vendor we are using felt the files were well protected" and didn't need any encryption, Sams said. The university's own IT staff had felt there was a "theoretical possibility" that unencrypted information on the system could be illegally accessed but decided to go with the vendor's recommendation and did not encrypt the data, he said.
Following the discovery of the breach, the server was taken off-line and will not be restored to service until all sensitive data on it is encrypted, he said. For the moment, the health center has reverted to a paper system, he added.
The discovery of the latest compromise follows two others over the past few weeks. On April 21, a server containing patent data and intellectual property files belonging to the university's Technology Transfer Department was compromised. The university learned of the breach only after the FBI informed it that the system was tied to another case that the agency was investigating.
Three days later, university IT officials discovered that someone had hacked into an alumni database server containing personal and biographical information for more than 300,000 individuals and organizations. That incident resulted in the university's sending out fraud alert letters to 137,800 people whose Social Security numbers were stored on the system. Both incidents were publicly disclosed the week of May 1 (See "Ohio University reports two separate security breaches ").
The incidents have prompted a sweeping audit of the university's security posture and will likely result in more breaches being found, Sams said.
"We have a 20-person team working on this seven days a week," Sams said. The university has signed on Atlanta-based Internet Security Systems to assist with the review, he said.
"We are going to be reviewing all of the issues and developing some corrective action plans," he said. "There will be substantial, significant and ongoing" changes to better secure its networks and systems, he said.
Barely 10 days after disclosing two separate security breaches involving its computers, the university announced yet another incident in which sensitive data on one of its systems was illegally accessed by an unknown hacker. And there may be even more such disclosures to come as the university's IT department continues a sweeping security review of its networks and systems, warned CIO Bill Sams.
The latest incident involved a server supporting the university's Hudson Health Center. On May 4, the school's IT staff discovered that the system, which holds records of about 60,000 current and former students as well as some faculty and staff, had been infected with a virus.
Further investigation of the server showed that someone had hacked into the system and potentially accessed the data, Sams said. The compromised system contained data from the student health service, including information such as birth dates, Social Security numbers and clinical information. The system also contained data on individuals receiving counseling and psychological services, but in this case the data was restricted to Social Security numbers, dates of birth and dates of service.
Sams did not elaborate on how the hack occurred or whether it was perpetrated by an insider or an external attacker.
"The software vendor we are using felt the files were well protected" and didn't need any encryption, Sams said. The university's own IT staff had felt there was a "theoretical possibility" that unencrypted information on the system could be illegally accessed but decided to go with the vendor's recommendation and did not encrypt the data, he said.
Following the discovery of the breach, the server was taken off-line and will not be restored to service until all sensitive data on it is encrypted, he said. For the moment, the health center has reverted to a paper system, he added.
The discovery of the latest compromise follows two others over the past few weeks. On April 21, a server containing patent data and intellectual property files belonging to the university's Technology Transfer Department was compromised. The university learned of the breach only after the FBI informed it that the system was tied to another case that the agency was investigating.
Three days later, university IT officials discovered that someone had hacked into an alumni database server containing personal and biographical information for more than 300,000 individuals and organizations. That incident resulted in the university's sending out fraud alert letters to 137,800 people whose Social Security numbers were stored on the system. Both incidents were publicly disclosed the week of May 1 (See "Ohio University reports two separate security breaches ").
The incidents have prompted a sweeping audit of the university's security posture and will likely result in more breaches being found, Sams said.
"We have a 20-person team working on this seven days a week," Sams said. The university has signed on Atlanta-based Internet Security Systems to assist with the review, he said.
"We are going to be reviewing all of the issues and developing some corrective action plans," he said. "There will be substantial, significant and ongoing" changes to better secure its networks and systems, he said.
Labels: Ohio Univ.
