Ohio University
Ohio University CORE Error Exposes Personal Information
Quick Facts
- Date: 7/25/08
- Institution: Ohio University
- Type of Incident: Unauthorized Disclosure
- Number Affected: 492
- Source: Attrition.org
- Abstract Source: The Columbia Dispatch
Abstract
A clerical error at Ohio University's Centers for Osteopathic Research and Education (CORE) caused personal information on 492 individuals to be posted online. The data, contained in an excel spreadsheet, contained the names, Social Security numbers, addresses, contact numbers and federal employment identification numbers of individuals that had spoke at CORE according to a university spokesperson. The spreadsheet had been available from March 20 until it was removed on June 16 when a nurse discovered the file while doing research online. According to CORE the document that should have been posted did not contain any personal information. The individual that made the error was placed on paid administrative leave pending a review. CORE has created a web site - www.ohiocore.org/answers - and hotline - 866-437-8698 - to help answer questions.
[UPDATE] 25,000 OU Student Pictures Online Without Password Protection
Quick Facts
- Date: 3/4/2008
- Institution: Ohio University
- Type of Incident: Unauthorized Disclosure
- Number Affected: 25,000
- Source: Pogo Was Right
- Abstract Source: The Post
- Update Source: The Chronicle of Higher Education
Abstract
David M. Hendricks Jr., a Post reporter and Ohio University Resident Assistant, recently alerted Ohio University that pictures of 25,000 OU students were available via the Internet. The pictures, part of the university's Community Incident Report web site, were discovered after Hendricks started added different words to the end of the site's address. Hendricks found that the pictures came up without any need for him to use his RA login and password to the Community Incident Report system. Ohio University secured the site within hours of notification and it does not appear the site was indexed or cached by any search engine. The pictures were not accompanied by names but did include 10-digit identification codes that allow appear on student IDs. According to Patrick Beatty, Associate University Registrar, pictures are not considered directory information by the university. According to OU's Internal Audit guidelines, posting a student’s picture on a Web site without a signed release is a violation of federal privacy law.
Update1: Ohio University is disputing the claims made by the OU newspaper that 25,000 student pictures were available to the Internet with no protections. According to OU CIO Bruce Bible, "It's been overblown. There has been nothing exposed, and the information was non-descriptive to start with. There is no sensitive data tied to this site." According to Bible, to get access to all of the pictures, a resident assistant would need to first log in and then right-click to get the address for the entire directory. This address could then be shared with others.
More Computer Breaches Discovered at Ohio University
Quick Facts
- Date: 6/9/2006
- Institution: Ohio University
- Type of Incident: Penetration
- Number Affected: 70,000
- Source: Attrition.Org
- Abstract Source: Ohio News Now
Abstract
Ohio University officials announced that two more computer systems were discovered to have been the victims of criminal computer attacks. These recent breaches exposed personal information on over 70,000 individuals including subcontractors paid by Ohio University over the past two years. In a letter sent out to affected individuals the university was quick to point out that there has been no evidence that personal information was being used to commit fraud or identity theft.
OU's Hudson Health Center Suffers Computer System Breach
Quick Facts
- Date: 5/12/2006
- Institution: Ohio University
- Type of Incident: Penetration
- Number Affected: 60,000
- Source: InfoSec News
- Abstract Source: Ohio.com
Abstract
For the third time in as many weeks, Ohio University discovered another breach in its computer systems. This time the computer was part of Ohio University's Hudson Health Center. The names, dates of birth, Social Security numbers and medical information on 60,000 current and former students as well as any faulty or staff who sought treatment at the health center were exposed. Ohio University has launched a complete review of all information systems owned by the university.
Ohio University Reports Two Separate Security Breaches
Quick Facts
- Date: 5/2/2006
- Institution: Ohio University
- Type of Incident: Penetration
- Number Affected: 300,000 (137,000 SSNs)
- Source: Privacy Rights Clearinghouse
- Abstract Source: < a href="http://www.computerworld.com/databasetopics/data/story/0,10801,111113,00.html">ComputerWorld
Abstract
Ohio University discovered that a computer thought to have been decommissioned had been compromised as far back as 2005. This breach exposed the names and Social Security numbers of more then 137,000 individuals as well as the personal and biographical information on more the 300,000 individuals and organization at Ohio University. The University is sending out 10,000 e-mails per hour notifying individuals of this breach.
Ohio University was alerted to a second, unknown security breach by the FBI. The FBI become aware of the problem while working on an unspecified case. The server in question housed patent and intellectual properly information owned by Ohio University.
