Educational Security Incidents (ESI)

Quick Facts

• Date: 2/28/2008
• Institution: Asahikawa Medical College
• Type of Incident: Employee Fraud
• Number Affected: 2,220
• Source: ESI
• Abstract Source: Daily Yomiuri Online

Abstract
Asahikawa Medical College recently announced that it discovered 2,220 test samples taken from individuals had been leaked, along with some personal information, to four different companies in five different leaks occurring over a two and a half year period. This leak included samples taken during HIV and syphilis tests and of the 2,220 samples leaked, 1,800 syphilis samples included patient names and other personal information. During the investigation into the leak, the medical college found that the four companies receiving the samples donated about 3.85 million yen to the hospital's clinical laboratory blood transfusion department, which is the department that leaked the samples. The medical college plans to severely punish the four individuals involved in the leak. The hospital has made plans to recover the leaked samples, expect for those already destroyed, and has apologized to those individuals whose personal information was exposed.

Quick Facts

• Date: 2/27/08
• Institution: Salt Lake Community College
• Type of Incident: Theft
• Number Affected: 1,000
• Source: ESI
• Abstract Source: Salt Lake Tribune

Abstract
Salt Lake Community College has contacted more then 25,000 individuals after it discovered that a stolen laptop may contain usernames and passwords. According to officials, the laptop, stolen from the SLCC's Continuing Community Education office, could contain the login information on up to 1,000 students, faculty and staff members. The login information would allow and individual to access SLCC's "My Page" system which contains information suchw as Social Security numbers and financial information. Within a few hours of the theft, SLCC staff began contacting individuals, urging them to change their "My Page" passwords.

Quick Facts

• Date: 2/26/2008
• Institution: Ave Maria University
• Type of Incident: Unauthorized Disclosure
• Number Affected: Unknown
• Source: Pogo Was Right
• Abstract Source: Naples Daily News

Abstract
Hundreds of pages worth of Ave Maria's internal assessment documentation was available to the public through the university's web site. These documents contained information such as student grade point averages, test scores, exit interviews and research paper evaluations, however most were without attribution. The documentation was placed on the university's Institutional Effectiveness Committee web site to help the school evaluate its academic program with the misunderstanding that it would be protected from the public. According to Vice President of Academic Affairs Jack Sites, he believed the information would only be accessible by those people that knew the exact URL of the information. The university is not aware of how long the documents existed online, but officials removed the information as soon as it became aware of the problem.

Quick Facts

• Date: 2/23/2008
• Institution: University of Southern Mississippi
• Type of Incident: Penetration
• Number Affected: None
• Source: ESI
• Abstract Source: Hattiesburg American

Abstract
The University of Southern Mississippi recently announced that a security breach of the university's web site was discovered during routine monitoring. According to USM's Chief Information Officer Homer Coffman there is no evidence of unauthorized use of university information and only the main web site was affected by this incident. The USM web site was offline for 12 hours while the university investigated the incident.

Quick Facts

• Date: 2/19/2008
• Institution: Harvard University
• Type of Incident: Penetration
• Number Affected: Unknown
• Source: ESI
• Abstract Source: The Harvard Crimson
• Update Source: The Harvard Crimson

Abstract
Harvard University's Graduate School of Arts and Sciences (GSAS) is dealing with an attack on an GSAS web site. Over the weekend, an unknown individual was able to compromise an unsecured web site and steal files containing sensitive information such as the administrators username and password, web site databases , web site backups and even a contact database. This information was then posted to Pirate Bay, a popular P2P web site. The 125MB torrent file, which already had 30 seeders and 16 leechers by 8pm last night, was accompanied by a statement claiming that the attack was a demonstration that the GSAS administrator did not know how to properly secure a web site.

Update1: It seems the compromise of the Graduate School of Arts and Sciences web site could have exposed the personal information on up to 10,000 individuals including 6,000 Social Security number and 500 Harvard University student ID numbers. Harvard officials began notifying students after an investigation determined that Harvard could not determine whether or not personal information was exposed. Given this, the university decided to alert students and applicants and offer free credit monitoring through Kroll, Inc.