Educational Security Incidents (ESI)

Quick Facts

• Date: 11/17/2008
• Institution: University of the Cumberlands
• Type of Incident: Penetration
• Number Affected: Unknown
• Source: Pogo Was Right
• Abstract Source: Lexington Herald-Leader, Kentucky Attorney General Press Release

Abstract
A University of the Cumberlands student has been arrested and charged with hacking into student email accounts and using the information to blackmail these students. According to a press release from the Office of the Attorney General, Sungkook Kim was charged with identity theft and unlawful access to a computer following an investigation by the AG's cybercrime unit and the Williamsburg police. The investigation discovered that Kim had installed spyware on campus library computers to capture user IDs and passwords of students and faculty using the computers.

Quick Facts

• Date: 11/14/2008
• Institution: University of Iowa Hospitals and Clinics
• Type of Incident: Employee Fraud
• Number Affected: Unknown
• Source: ESI
• Abstract Source: The Gazette

Abstract
University of Iowa Hospitals and Clinics announced that eight University Hospitals staff members are facing disciplinary actions after inappropriately accessing confidential patient records. Staff discovered the inappropriate access during a routine review of patient record access. According to hospital CEO Ken Kates the hospital has disclosed the incident and apologized to those affected. According to Kates, the hospital will be "stepping up both our training and the penalties for inappropriately accessing or sharing confidential patient information". One of the staff members involved with this incident has been fired.

Quick Facts

• Date: 11/14/2008
• Institution: Rockland Community College
• Type of Incident: Employee Fraud
• Number Affected: 12
• Source: ESI
• Abstract Source: LoHud.com

Abstract
A Rockland Community College student worker has been accused of stealing credit card numbers of former students to purchase high-end clothing costing over $2,200. Ololade Aiyeku, an American citizen from Nigeria, is accused of stealing the credit card information while working in RCC's records office. Police believe Aiyeku gained access to the credit card information of 12 former students' transcript applications by either making copies or stealing them. According to RCC spokeswoman Zipora Reitma students do not normally have access to credit card information. The college plans to look at how this happened and what changes might be made to prevent this type of incident in the future. Spring Valley Police were able to trace a Nordstrom purchase to Aiyeku's apartment where they found numerous receipts and even some notes on purchases. According to Detective David Humested, "He [Aiyeku] was very meticulous with his paperwork." Aiyeku has been charged with 38 felony counts and 31 misdemeanor counts.

Quick Facts

• Date: 11/13/2008
• Institution: University of Maine
• Type of Incident: Penetration
• Number Affected: 200
• Source: ESI
• Abstract Source: WCSH6, Bangor Daily News

Abstract
The University of Maine announced the arrest of a former student charged with illegally accessing hundreds of student email accounts. Following a three week investigation by the University of Maine campus police, the Maine State Police Computer Crimes Task Force and the United States Secrete Service charged former UMaine business student James Wieland with one count of aggravated criminal invasion of computer privacy. The university believes that Wieland is responsible for distributing a downloadable game through email that contained a trojan key logging program. Wieland allegedly sent the email to over 1,000 student email address and had gained access to over 200 accounts as a result. The university became aware of the incident after two students received emails from each other while riding on an airplane together. It is not known why Wieland wanted access to these accounts.

Quick Facts

• Date: 11/12/2008
• Institution: University of Florida
• Type of Incident: Penetration
• Number Affected: 336,234
• Source: ESI
• Abstract Source: Network World

Abstract
The University of Florida announced that a server containing College of Dentistry patient information was breached by an unknown individual(s). The server contained the names, addresses, birth dates, Social Security numbers of 344,482 patients dating back to 1990. Some of these records did contain dental procedure information. UF discovered the breach on Oct 3rd when staff were performing upgrades on the server. Staff found that an unknown individual(s) had compromised the computer and remotely installed additional software on the server. The server was immediately taken down until staff could strengthen the security controls of the system. UF has mailed out notifications to 336,234 individuals affected by this breach. In the online FAQ, the University of Florida states that the university will not offer any free credit monitoring to the individuals affected by this breach. The university has more information on the incident here - privacy.ufl.edu.