In the wake of an audit that resulted in the suspension of two top-level information technology staffers, officials at Ohio University (OU) are working to correct mistakes that compromised 173,000 Social Security numbers in school computers.

The latest in a string of high-profile security breaches at several major U.S. colleges and universities, OU’s troubles have prompted school technology directors nationwide to reexamine an important question: how to balance the need for personal security with the educational benefits of an open and accessible technology infrastructure.

Since February 2005, universities nationwide have accounted for almost 50 percent of computer data theft, according to the Privacy Rights Clearinghouse, a nonprofit consumer advocacy group in San Diego.

Colleges and universities are a prime target for electronic data thefts because of their wide use of names, addresses, and Social Security numbers, experts say.

“The reason is simple. Colleges have a tendency to use information, like Social Security numbers, for student IDs,” said Jay Foley, executive director of the Identity Theft Resource Center, another San Diego nonprofit.

Ohio is in the midst of investigating five cases of data theft since March 2005, in which 367,000 files containing personal information–including Social Security numbers, names, medical records, and home addresses–were exposed.

The independent audit, conducted by researchers at Moran Technology Consulting of Naperville, Ill., criticizes the university’s Computer and Network Services division for making security a low priority for more than 10 years, though it had an annual budget averaging $11 million and annual surpluses averaging $1.4 million.

Outside consultants also found the department gave about 65 employees health-club memberships and other additional benefits not enjoyed by other workers at the university, all while doing little to shore up the school’s network against further attacks.

Not enough skilled computer staff members, and computer officials who did not “firmly and loudly identify important security problems,” contributed to the data thefts, the audit said.

The audit details a profound problem, said R. Gregory Brown, chairman of the school’s board of trustees. The board recently approved spending up to $4 million to secure university computers.

In response to the audit, University President Roderick McDavis on June 20 suspended with pay IT director Tom Reid and the university’s internet and systems manager, Todd Acheson, pending a formal investigation, the Associated Press (AP) reported. McDavis then sent an eMail message to faculty and staff, saying he deeply regretted the inconvenience and stress the breaches have caused university employees.

“We hold ourselves fully accountable,” McDavis wrote in his message.

The university announced April 21 that it had discovered a computer breach at its training center for fledgling businesses. Since then, electronic break-ins also were reported at the school’s alumni office, health center, and the department that handles records for businesses the university hires.

At the time of the attacks, OU Chief Information Officer Bill Sams said the school was responsible for operating, securing, and maintaining some 90 servers. And that was just the school’s primary computer network; more servers are operated by individual university departments.

“If you’re a corporation, you can just lock everything down,” Sams said. “We don’t have that luxury. The academic side is trying to find a line between maximum flexibility and data security … We need someone, somewhere, to come up with a set of best practices for schools.”

After news of the breaches first broke, Sams announced plans to reorganize the university’s IT department.

“There’s not one silver-bullet easy answer,” Sams told AP. “It’s going to be funding issues, staffing issues, training issues, policies and procedure issues, priority issues. All of those.”

Newly installed protection software shows that hackers from Eastern Europe, China, the United States, and elsewhere try to break in to OU’s servers up to 10,000 times an hour, he said.

Such a large number of hacking attempts is typical at universities. For example, the University of Southern California says it fights off between 500,000 and 1 million attacks a day.

Sams does not believe OU’s five break-ins were related, because the attacks came from different parts of the world. Experts said figuring out whether there is a connection would be difficult.

In the case of OU’s compromised Social Security data, outside experts say it’s possible hackers have had access to the information for more than a year.

“That’s unbelievable,” Avivah Litan, a security analyst with research firm Gartner Inc., told online technology news source CNET for a story published May 21. “I have never heard of that much of a delay. Why would it take a year to discover this? It doesn’t make any sense.”

Litan said she was especially surprised by the duration of the breach, because major universities today are acutely aware of these dangers.

Over the past year, CNET has reported security breaches at Notre Dame, Purdue, and Georgetown universities.

And there have been others, too.

In May, officials at the University of Delaware’s Department of Public Safety reported that personal information for more than 1,000 people might have been stolen in a computer security breach.

The loss was discovered April 8, but officials said it took several weeks to determine which records and whose personal information were involved and to track down the addresses of the potential victims of identity theft.

“This is not something you can just hit a keystroke and get,” UD public safety director James Flatley told AP.

Flatley refused to provide details about whose information was stored in the database, other than that it involved “individuals other than students.”

“These are people we’ve had contact with,” he said.

Officials said they did not know whether any personal information was actually acquired by the hackers.

Meanwhile, the University of Kentucky says personal information for as many as 6,500 students and alumni might have been stored on a computer drive reported stolen from a faculty member.

According to the university, a faculty member in the School of Human Environmental Sciences on May 26 reported the theft of a “thumb drive” that contained academic and personal data about current and former students.

The faculty member, who was not identified, said the drive held the rosters of students enrolled in his classes between 1988 and 2006. The drive included each student’s Social Security number, which the school uses as an identification number.

“This is a regrettable incident, and we are deeply sorry that it has occurred,” said Patricia Terrell, the school’s vice president of student affairs, in a release. “We are doing everything possible to contact those who may be impacted by this incident.”

The thumb-drive theft was the second time in a month the university had revealed employees or students might have been exposed to identity theft. The university said earlier in May that it unintentionally made personal information of 1,300 current and former employees available to the public for 19 days that month.

The school said it mailed letters to each of the students and alumni possibly affected by the theft, asking them to check their financial information for any suspicious activity.

Security issues also have touched Kent State, Miami, Colorado, and Cleveland State universities, as well as the Ohio State University Medical Center in the past year. Last year, eSchool News reported similar problems at other institutions, including Boston College, George Mason University in Virginia, and the University of California at Berkeley (See story: http://www.eschoolnews.com/news/showStory.cfm?ArticleID=5637).

Some have been computer thefts or hacking, while in other cases, personal information was accidentally posted online. Many of the affected schools are updating their systems and urging those on campus to be careful when storing personal information.

Ohio University only became aware that a problem existed after the FBI discovered someone had remotely taken control of one of the school’s servers.

Universities are easy targets for hackers because of the large amount of personal data they keep, their powerful computer systems, and their emphasis on open communication over security, said Rodney Petersen of EDUCAUSE, a nonprofit organization that helps universities set standards for using computer technology.

Universities, corporations, and government agencies are reporting more data theft, partly because new state laws are requiring the disclosures, he said. Ohio passed such a law earlier this year.

People ages 18-29 make the most reports of identity theft in Ohio and the nation, according to the Identity Theft Data Clearinghouse, a division of the Federal Trade Commission.

OU students, alumni, and employees have been told to run credit checks and place fraud watches on their credit card and bank accounts. About two dozen people with ties to the university have told the school they were victimized by identity theft in the last year.

As data thefts at colleges and universities nationwide become more publicized, schools say they’re becoming more vigilant. Some have stopped using Social Security numbers as student IDs.

The University of Cincinnati will assign students and employees new numbers to replace their Social Security numbers this fall. The University of Dayton is revamping its security and spreading the word about the dangers of data misuse.

OU knows of two dozen people associated with the university who have suffered identity theft, Sams said. University officials don’t know whether those instances are related to the computer breaches.

OU senior Aurora Grossman, 21, said she had a scare earlier this year when a Florida man tried to take out several credit cards in her name. She’s worried it could happen again, considering that she uses her Social Security number to log in to university computers and to check in at her campus job.

Dallas Cheatham, an alumna from Columbus, immediately checked her credit report when she read the university’s warning letter. Her college friends send eMail messages containing university updates and news reports to one another.

Cheatham, 31, said she wasn’t surprised to hear of the data breaches.

“In this day and age, there are plenty of people looking to get something for nothing,” she said.

The university said it has been notifying all affected individuals by mail and eMail. It has developed a web site on dealing with identity theft–http://www.ohio.edu/datasecurity–and has been working to tighten security.

Experts recommend consumers who are increasingly faced with data exposures to check their credit reports annually for damaging errors or possible identity theft.

Links:

Ohio University
http://www.ohio.edu/

OU’s new identity theft page
http://www.ohio.edu/datasecurity

University of Delaware
http://www.udel.edu/

University of Kentucky
http://www.uky.edu/

EDUCAUSE
http://www.educause.edu

Gartner Inc.
http://www.gartner.com/

Identity Theft Resource Center
http://www.idtheftcenter.org/

Privacy Rights Clearinghouse
http://www.privacyrights.org/

And there have been others, too.

In May, officials at the University of Delaware’s Department of Public Safety reported that personal information for more than 1,000 people might have been stolen in a computer security breach.

The loss was discovered April 8, but officials said it took several weeks to determine which records and whose personal information were involved and to track down the addresses of the potential victims of identity theft.

“This is not something you can just hit a keystroke and get,” UD public safety director James Flatley told AP.

Flatley refused to provide details about whose information was stored in the database, other than that it involved “individuals other than students.”

“These are people we’ve had contact with,” he said.

Officials said they did not know whether any personal information was actually acquired by the hackers.

Meanwhile, the University of Kentucky says personal information for as many as 6,500 students and alumni might have been stored on a computer drive reported stolen from a faculty member.

According to the university, a faculty member in the School of Human Environmental Sciences on May 26 reported the theft of a “thumb drive” that contained academic and personal data about current and former students.

The faculty member, who was not identified, said the drive held the rosters of students enrolled in his classes between 1988 and 2006. The drive included each student’s Social Security number, which the school uses as an identification number.

“This is a regrettable incident, and we are deeply sorry that it has occurred,” said Patricia Terrell, the school’s vice president of student affairs, in a release. “We are doing everything possible to contact those who may be impacted by this incident.”

The thumb-drive theft was the second time in a month the university had revealed employees or students might have been exposed to identity theft. The university said earlier in May that it unintentionally made personal information of 1,300 current and former employees available to the public for 19 days that month.

The school said it mailed letters to each of the students and alumni possibly affected by the theft, asking them to check their financial information for any suspicious activity.

Security issues also have touched Kent State, Miami, Colorado, and Cleveland State universities, as well as the Ohio State University Medical Center in the past year. Last year, eSchool News reported similar problems at other institutions, including Boston College, George Mason University in Virginia, and the University of California at Berkeley (See story: http://www.eschoolnews.com/news/showStory.cfm?ArticleID=5637).

Some have been computer thefts or hacking, while in other cases, personal information was accidentally posted online. Many of the affected schools are updating their systems and urging those on campus to be careful when storing personal information.

Ohio University only became aware that a problem existed after the FBI discovered someone had remotely taken control of one of the school’s servers.

Universities are easy targets for hackers because of the large amount of personal data they keep, their powerful computer systems, and their emphasis on open communication over security, said Rodney Petersen of EDUCAUSE, a nonprofit organization that helps universities set standards for using computer technology.

Universities, corporations, and government agencies are reporting more data theft, partly because new state laws are requiring the disclosures, he said. Ohio passed such a law earlier this year.

People ages 18-29 make the most reports of identity theft in Ohio and the nation, according to the Identity Theft Data Clearinghouse, a division of the Federal Trade Commission.

OU students, alumni, and employees have been told to run credit checks and place fraud watches on their credit card and bank accounts. About two dozen people with ties to the university have told the school they were victimized by identity theft in the last year.

As data thefts at colleges and universities nationwide become more publicized, schools say they’re becoming more vigilant. Some have stopped using Social Security numbers as student IDs.

The University of Cincinnati will assign students and employees new numbers to replace their Social Security numbers this fall. The University of Dayton is revamping its security and spreading the word about the dangers of data misuse.

OU knows of two dozen people associated with the university who have suffered identity theft, Sams said. University officials don’t know whether those instances are related to the computer breaches.

OU senior Aurora Grossman, 21, said she had a scare earlier this year when a Florida man tried to take out several credit cards in her name. She’s worried it could happen again, considering that she uses her Social Security number to log in to university computers and to check in at her campus job.

Dallas Cheatham, an alumna from Columbus, immediately checked her credit report when she read the university’s warning letter. Her college friends send eMail messages containing university updates and news reports to one another.

Cheatham, 31, said she wasn’t surprised to hear of the data breaches.

“In this day and age, there are plenty of people looking to get something for nothing,” she said.

The university said it has been notifying all affected individuals by mail and eMail. It has developed a web site on dealing with identity theft–http://www.ohio.edu/datasecurity–and has been working to tighten security.

Experts recommend consumers who are increasingly faced with data exposures to check their credit reports annually for damaging errors or possible identity theft.

Links:

Ohio University
http://www.ohio.edu/

OU’s new identity theft page
http://www.ohio.edu/datasecurity

University of Delaware
http://www.udel.edu/

University of Kentucky
http://www.uky.edu/

EDUCAUSE
http://www.educause.edu

Gartner Inc.
http://www.gartner.com/

Identity Theft Resource Center
http://www.idtheftcenter.org/

Privacy Rights Clearinghouse
http://www.privacyrights.org/