In the wake of an audit that resulted in the suspension of two top-level information technology staffers, officials at Ohio University (OU) are working to correct mistakes that compromised 173,000 Social Security numbers in school computers.
The latest in a string of high-profile security breaches at several major U.S. colleges and universities, OU’s troubles have prompted school technology directors nationwide to reexamine an important question: how to balance the need for personal security with the educational benefits of an open and accessible technology infrastructure.
Since February 2005, universities nationwide have accounted for almost 50 percent of computer data theft, according to the Privacy Rights Clearinghouse, a nonprofit consumer advocacy group in San Diego.
Colleges and universities are a prime target for electronic data thefts because of their wide use of names, addresses, and Social Security numbers, experts say.
"The reason is simple. Colleges have a tendency to use information, like Social Security numbers, for student IDs," said Jay Foley, executive director of the Identity Theft Resource Center, another San Diego nonprofit.
OU is in the midst of investigating five cases of data theft since March 2005, in which 367,000 files containing personal information–including Social Security numbers, names, medical records, and home addresses–reportedly were exposed.
The independent audit, conducted by researchers at Moran Technology Consulting of Naperville, Ill., criticizes the university’s Computer and Network Services division for making security a low priority for more than 10 years, though it had an annual budget averaging $11 million and annual surpluses averaging $1.4 million.
Not enough skilled computer staff members, and computer officials who did not "firmly and loudly identify important security problems," contributed to the data thefts, the audit said.
The audit details a profound problem, said R. Gregory Brown, chairman of the school’s board of trustees. The board in June approved spending up to $4 million to secure university computers.
In response to the audit, University President Roderick McDavis on June 20 suspended with pay IT director Tom Reid and the university’s internet and systems manager, Todd Acheson, pending a formal investigation, the Associated Press (AP) reported. McDavis then sent an eMail message to faculty and staff, saying he deeply regretted the inconvenience and stress the breaches have caused university employees.
"We hold ourselves fully accountable," McDavis wrote in his message.
Two OU graduates whose Social Security numbers were among the 173,000 possibly stolen from school computers have filed a lawsuit alleging their right to privacy has been violated.
Donald Jay Kulpa, 31, and Kenneth Neben, 34, filed the lawsuit in Columbus on June 23. The lawsuit, which seeks class-action status, asks a judge to order the school to pay for credit monitoring services for those affected. It also requests compensation for anyone who suffers financial losses from the breaches.
The university announced April 21 that it had discovered a computer breach at its training center for fledgling businesses. Since then, electronic break-ins also were reported at the school’s alumni office, health center, and the department that handles records for businesses the university hires.
At the time of the attacks, OU Chief Information Officer Bill Sams said the school was responsible for operating and securing some 90 servers. And that was just the school’s primary computer network; more servers are operated by individual university departments.
"If you’re a corporation, you can just lock everything down," Sams said. "We don’t have that luxury. The academic side is trying to find a line between maximum flexibility and data security … We need someone, somewhere, to come up with a set of best practices for schools."
After news of the breaches first broke, Sams announced plans to reorganize the university’s IT department. "There’s not one silver-bullet easy answer," he told AP. "It’s going to be funding issues, staffing issues, training issues, policies and procedure issues, priority issues. All of those."
Newly installed protection software shows that hackers from Eastern Europe, China, the United States, and elsewhere try to break in to OU’s servers up to 10,000 times an hour, he said.
Such a large number of hacking attempts is typical at universities. For example, the University of Southern California says it fights off between 500,000 and 1 million attacks a day.
In the case of OU’s compromised Social Security data, outside experts say it’s possible hackers have had access to the information for more than a year.
"That’s unbelievable," Avivah Litan, a security analyst with research firm Gartner Inc., told online technology news source CNET for a story published May 21. "I have never heard of that much of a delay. Why would it take a year to discover this? It doesn’t make any sense."
Over the past year, CNET has reported security breaches at Notre Dame, Purdue, and Georgetown universities. And there have been others, too.
In May, officials at the University of Delaware’s Department of Public Safety reported that personal information for more than 1,000 people might have been stolen in a computer security breach.
The loss was discovered April 8, but officials said it took several weeks to determine which records and whose personal information were involved and to track down the addresses of the potential victims of identity theft.
Meanwhile, the University of Kentucky says personal information for as many as 6,500 students and alumni might have been stored on a computer drive reported stolen from a faculty member.
According to the university, a faculty member in the School of Human Environmental Sciences on May 26 reported the theft of a "thumb drive" that contained academic and personal data about current and former students.
The faculty member, who was not identified, said the drive held the rosters of students enrolled in his classes between 1988 and 2006. The drive included each student’s Social Security number, which the school uses as an identification number.
"This is a regrettable incident, and we are deeply sorry that it has occurred," said Patricia Terrell, the school’s vice president of student affairs, in a release. "We are doing everything possible to contact those who may be impacted by this incident."
Security issues also have touched Kent State, Miami, Colorado, and Cleveland State universities, as well as the Ohio State University Medical Center in the past year.
Universities are easy targets for hackers because of the large amount of personal data they keep, their powerful computer systems, and their emphasis on open communication over security, said Rodney Petersen of EDUCAUSE, a nonprofit organization that helps universities set standards for using computer technology.
Universities, corporations, and government agencies are reporting more data theft, partly because new state laws are requiring the disclosures, he said. Ohio passed such a law earlier this year.
People ages 18-29 make the most reports of identity theft in the nation, according to the Identity Theft Data Clearinghouse, a division of the Federal Trade Commission.
OU students, alumni, and employees have been told to run credit checks and place fraud watches on their credit card and bank accounts. About two dozen people with ties to the university have told the school they were victimized by identity theft in the last year.
As data thefts at colleges and universities nationwide become more publicized, schools say they’re becoming more vigilant. Some have stopped using Social Security numbers as student IDs.
The University of Cincinnati will assign students and employees new numbers to replace their Social Security numbers this fall. The University of Dayton is revamping its security and spreading the word about the dangers of data misuse.