Educational Security Incidents (ESI)

Quick Facts

• Date: 4/3/2008
• Institution: University of Michigan
• Type of Incident: Unauthorized Disclosure
• Number Affected: Unknown
• Source: Pogo Was Right
• Abstract Source: The Michigan Daily

Abstract
The University of Michigan is investigating the how The Ann Arbor News obtained federally protected data on students that appeared in a recent news article about student athletes at the university. The article, titled "University of Michigan athletes steered to professor", contained information on which courses student-athletes had taken and even included the GPAs of two students. This type of information is protected by the Family Educational Rights and Privacy Act (FERPA). According to University Provost Teresa Sullivan, the university warned the newspaper that the information was confidential and obtained in violation of federal law. According to Kelly Cunningham, the university had cautioned the paper against publishing this information twice. Cunningham also does not believe that any student-athlete had given the paper permission to reprint their personal information.

Quick Facts

• Date: 12/14/2007
• Institution: University of Michigan - Flint
• Type of Incident: Penetration
• Number Affected: Unknown
• Source: Pogo Was Right
• Abstract Source: ABC 12

Abstract
The University of Michigan - Flint is alerting student that their personal information may be at risk after several U of M - Flint machines were found to have been breached. The university noticed the breach of "several servers" on December 6. The university did not release what information is at risk or how many servers were affected, but is currently investigating the breach. The university urged students and staff to change passwords and will release more information when it becomes available.

Quick Facts

• Date: 9/13/2007
• Institution: University of Michigan
• Type of Incident: Theft
• Number Affected: 8,585
• Source: ESI
• Abstract Source: The Ann Arbor News

Abstract
University of Michigan is alerting over 8,000 patients of the university's Community Family Health Center after backup tapes containing patient data were discovered stolen. UM is sending two different letters to different patients depending upon the patient information contained on the tapes. The first letter, already sent to 4,513 people, let patients know that the tapes contained their name, address and medical information. The second letter, that the university plans to send to an additional 4,072 individuals, will let patients know that along with name, address and medical information, their Social Security number was also on the stolen backup tapes. UM police are investigating the theft but the university has no further information on the theft.

Quick Facts

• Date: 7/21/2007
• Institution: University of Michigan
• Type of Incident: Penetration
• Number Affected: 5,500
• Source: Attrition.org
• Abstract Source: Detroit Free Press

Abstract
The University of Michigan is alerting current and former students about the exposure of personal information after an unknown individual(s) gained access to two School of Education databases. These databases contained the names, addresses, and some Social Security numbers of 5,500 individuals. At this point there is no evidence that the individual(s) that gained access were after personal information, but the university's public safety department is investigating the incident. The breach was first discovered on July 3 and the university began sending out notifications on July 16. According to Kelly Cunningham, a university spokesperson, the notifications were sent out as a precaution.

Quick Facts

• Date: 2/13/2006
• Institution: California State University - Northridge, University of Michigan, University of California - Los Angeles
• Type of Incident: DDoS attacks
• Number Affected: Unknown
• Source: EDUPAGE
• Abstract Source: Edupage

Abstract

Three men have been charged by federal authorities in a botnet scheme that reportedly netted the three $100,000 and caused $150,000 in damage. According to the indictment, Christopher Maxwell and two unnamed conspirators created a network of computers by illegally accessing networks at California State University at Northridge, the University of Michigan, and the University of California at Los Angeles. Using the network of zombie machines, the men installed adware on users' computers and also launched a denial-of-service attack on the network of Seattle's Northwest Hospital. The attack on the hospital resulted in the monetary damages cited in the indictment and also shut down the facility's intensive care unit. U.S. Attorney John McKay noted that although botnets are often seen as mere nuisances, this case shows that the repercussions from them can be deadly. If convicted, Maxwell could serve 10 years in prison and be fined $250,000.

(CNET, 13 February 2006)

Abstract by EDUPAGE editors