Educational Security Incidents (ESI) - Sometimes the free flow of information is unintentional

Stolen Ohio University-Chillicothe Hard Drive Contained Personal Information

Adam Dodge — Tue, 23 Dec 2008 09:42:49 -0600

Quick Facts

Date: 12/23/2008
Institution: Ohio University - Chillicothe
Type of Incident: Theft
Number Affected: 38
Source: Pogo Was Right
Abstract Source: Chillicothe Gazette

Abstract
Ohio University - Chillicothe is working to alert members of the university's Health Wellness Center after staff discovered the theft of a hard drive containing personal information. The drive, part of a stand-alone machine using specialized software, contained the names and Social Security numbers of 38 current and former members. OU-C discovered the theft on December 9th and began investigating the incident. According to OU-C officials, the information is very difficult to access without the special software used by the Health Wellness Center. However, to help protect the individuals affected by this incident, OU-C is offering one year of free credit monitoring to the 38 current and former members affected by the theft.

Sophisticated Breach Affects Lorian County Community College

Adam Dodge — Sat, 20 Dec 2008 09:34:08 -0600

Quick Facts

Date: 12/20/2008
Institution: Lorain County Community College
Type of Incident: Penetration
Number Affected: 22,000
Source: Pogo Was Right
Abstract Source: The Chronicle-Telegram

Abstract
Lorain County Community College announced that a sophisticated computer hacker breached two servers and could possibly have gained access to staff, students and community members personal information. The breach, which occurred during Thanksgiving break, involved the library card system which contained the names and Social Security numbers of about 22,000 staff, students and community members. LCCC staff discovered the breach when a virus alert went off due to an unknown individual download applications to the server. Staff immediately removed the server from the network to mitigate the breach until it could be investigated. According to LCCC VP of Strategic and Institutional Development Marcia Ballinger, the unknown individual was most likely looking to pirate space available on the servers and was not after personal information. However, LCCC will begin notifying all affected individuals and instructing them how to sign up for credit monitoring with Equifax. LCCC has enlisted the help and support of the FBI and other computer forensic experts in the investigation of the breach.

UNC School of the Arts Instructs Students to Monitor Credit Reports

Adam Dodge — Sat, 20 Dec 2008 09:08:09 -0600

Quick Facts

Date: 12/20/2008
Institution: University of North Carolina School of the Arts
Type of Incident: Penetration
Number Affected: 2,700
Source: Pogo Was Right
Abstract Source: Winston-Salem Journal

Abstract
The University of North Carolina School of the Arts is working to notify current and former students about a computer breach that may have exposed personal information. The server, which went on line in 2003, contained the names and Social Security numbers of about 2,700 students enrolled between 2003 and 2006. The breach occurred in May 2006 and, according to officials, the school became aware of the breach last week. UNCSA staff is working to investigate the breach and are conducting tests to ensure the future safety of personal information.

APSU Computers Containing Veteran's Information Stolen

Adam Dodge — Thu, 18 Dec 2008 08:58:08 -0600

Quick Facts

Date: 12/18/2008
Institution: Austin Peay State University
Type of Incident: Theft
Number Affected: 750
Source: ESI
Abstract Source: The Leaf Chronicle

Abstract
Austin Peay State University campus police are investigating the theft of two computers from the university's Veterans Upward Bound program. According to the program staff, at least one of these computers contained the names and Social Security numbers of at least 750 veterans. These computers were password-protected but not encrypted. While APSU staff state they have no reason to believe the information has been accessed, they are asking anyone that participated in the program between 1999 and 2007 to contact the university. The university will also begin sending certified letters to all affected individuals notifying them of the thefts.

Employees Notified Following UNC Greensboro Breach

Adam Dodge — Mon, 15 Dec 2008 19:45:26 -0600

Quick Facts

Date: 12/15/2008
Institution: University of North Carolina at Greensboro
Type of Incident: Penetration
Number Affected: Unknown
Source: ESI
Abstract Source: UNC Greensboro News Release

Abstract
The University of North Carolina at Greensboro is working to alert current and former employees after a detected a security breach on a workstation containing payroll information. The workstation contained the names, Social Security numbers, bank routing information and bank account numbers on an unknown number of individuals. The incident affects anyone that has received a payment from UNCG since April of this year. The breach was discovered after a payroll employee received a virus alert while trying to open a file on the computer. An investigation into the alert uncovered a virus had been on the computer for eight months which could have allowed unauthorized access to the workstation. UNCG has created a web site - fsv.uncg.edu/incident - with more information on the incident.

Stolen OHSU Laptop Contained Patient Data

Adam Dodge — Fri, 12 Dec 2008 19:05:44 -0600

Quick Facts

Date: 12/12/2008
Institution: Oregon Health & Science University
Type of Incident: Theft
Number Affected: 890
Source: OSF Data Loss DB
Abstract Source: Oregon Live

Abstract
Oregon Health & Science University is working to notify patients after a laptop containing personal information was stolen. The laptop, stolen from a worker in Chicago on business, contained medical record numbers, names, telephone numbers, dates of birth, gender, medical diagnosis category and category of treatment for 890 OHSU patients. According to OHSU, the information was password protected and may have been removed from the laptop before the theft.

Excel File Containing Student Information Found Online

Adam Dodge — Thu, 04 Dec 2008 06:51:22 -0600

Quick Facts

Date: 12/4/2008
Institution: California State Polytechnic University, Pomona
Type of Incident: Unauthorized Disclosure
Number Affected: 675
Source: Pogo Was Right
Abstract Source: Pasadena Star-News

Abstract
Cal Poly Pomona is working to alert former students after a file containing personal information was found online. The file, an excel spreadsheet, contained the names, address, phone numbers and Social Security numbers on 675 former Cal Poly Pomona student applicants from 2001. The file was discovered after a former Cal Poly Pomona did a Google search for his name. An investigation by the university found that the breach was unintentional and the file had mistakenly been placed in a publicly accessible folder. According to the university, there is not evidence that anyone other then the student who discovered the file had accessed this information.

Document Containing Mental Health and Criminal Records Accidentally Emailed

Adam Dodge — Tue, 02 Dec 2008 00:00:00 -0600

Quick Facts

Date: 12/2/2008

Institution: University of Manchester

Type of Incident: Unauthorized Disclosure

Number Affected: 469

Source: Pogo Was Right

Abstract Source: Student Direct

Abstract
The University of Manchester is apologizing after an email containing sensitive and personal student information was accidentally attached to an email sent to students. The email, sent to third-year Life Science students, contained a spreadsheet titled "2008 UG Final Year email addresses". This spreadsheet contained student names, University ID numbers, usernames, birthdates, ethnicities, nationality, stage of financial registration, and in some cases mental health issues and criminal records of all 469 Life Sciences students. The university removed the email and attachment from the system after several hours, but students may have saved local copies. The username and birthdate information can be used to access the accounts of students that have not changed the system defaults.

Campus Community Members Notifed After WSU Post Office Theft

Adam Dodge — Wed, 26 Nov 2008 06:08:08 -0600

Quick Facts

Date: 11/26/2008
Institution: Weber State University
Type of Incident: Theft
Number Affected: 69
Source: Pogo Was Right
Abstract Source: Desert News

Abstract
Weber State University is notifying members of the campus community after a thief broke into the campus post office. The thief made off with cash, a postal scale, three computers and hard copy postal box rental forms. According to the university, some of the rental forms taken contained names, addresses and Social Security numbers. Since the university does not know which forms contained personal information, it has notified all 69 individuals that had rented a post office box during the past eight years. Letters have been sent to these individuals with instructions on how to prevent and respond to identity theft in addition to information on an available credit monitoring service.

Student Charged With Hacking Email Accounts, Blackmailing Other Students

Adam Dodge — Mon, 17 Nov 2008 20:00:00 -0600

Quick Facts

Date: 11/17/2008
Institution: University of the Cumberlands
Type of Incident: Penetration
Number Affected: Unknown
Source: Pogo Was Right
Abstract Source: Lexington Herald-Leader, Kentucky Attorney General Press Release

Abstract
A University of the Cumberlands student has been arrested and charged with hacking into student email accounts and using the information to blackmail these students. According to a press release from the Office of the Attorney General, Sungkook Kim was charged with identity theft and unlawful access to a computer following an investigation by the AG's cybercrime unit and the Williamsburg police. The investigation discovered that Kim had installed spyware on campus library computers to capture user IDs and passwords of students and faculty using the computers.