Educational Security Incidents (ESI)

Quick Facts

• Date: 7/2/2008
• Institution: University of Nebraska at Kearney
• Type of Incident: Penetration
• Number Affected: 2,035
• Source: ESI
• Abstract Source: NTV

Abstract
The University of Nebraska at Kearney has begun sending letters to former students after nine computers where discovered to have been compromised by an unknown individual. These computers, located in the College of Natural and Social Sciences contained information on advisees in the Department of History in 2002 and 2003, deciding students in Fall 2001 and Fall 2002, and students in the online Master of Science in Biology program since Spring 2005 including 2,035 student Social Security numbers. According to university officials, no academic records were affected. The university has created a web site - www.unk.edu/securityincident/ - and a hotline - 308-865-8950 - where concerned individuals can get more information. On the web site, the university recommends that students affected by this incident place fraud alerts on their credit reports.

Quick Facts

• Date: 6/25/2008
• Institution: Cornell University
• Type of Incident: Theft
• Number Affected: 2,500
• Source: ESI
• Abstract Source: The Ithaca Journal

Abstract
Cornell University recently announced that it will begin offering one year of free credit protection to 2,500 students whose personal information may have been copied from a desktop computer. The possible breach was discovered in March, when Cornell staff found a computer in the Office of Minority Educational Affairs was infected with several viruses and malware that could have been used to record and steal information on the computer. One of the files on this affected computer contained a spreadsheet with names and Social Security numbers of a large number students and alumni that had participated in the University's Pre-Freshman Summer Program.

Quick Facts

• Date: 6/23/2008
• Institution: Southeast Missouri State University
• Type of Incident: Employee Fraud
• Number Affected: 800
• Source: Pogo Was Right
• Abstract Source: KFVS

Abstract
Southeast Missouri State University is working to alert students after it discovered that student personal information may be at risk. During a review of activity logs, the university discovered that a former employee had access hundreds of student records. According to university officials, records of 800 students, which included names and Social Security numbers, were found in the former employee's computer files. The university has filed charges against the former employee. The university has also setup a web site - www.semo.edu/identityalert/ - where students can find more information. Students wish additional questions are encouraged to call - (573) 986-6800 - or e-mail - identityalert@semo.edu - the university.

Quick Facts

• Date: 6/21/2008
• Institution: Arizona State University, Northern Arizona University, University of Arizona
• Type of Incident: Unauthorized Disclosure
• Number Affected: 10,000
• Source: ESI
• Abstract Source: The Arizona Republic

Abstract
A recent state audit has uncovered a number of serious weaknesses in the web systems at Arizona state's universities. State auditors were able to access personal information, including names and Social Security numbers, of 10,000 individuals. In addition, auditors found weaknesses that, if exploited, would allow an individual to take over large numbers of user accounts, change records and install malicious software. The audit only looked at a small percentage of web applications at the universities and the auditors believe that similar vulnerabilities are likely to exist in other web-based applications at the universities. The audit recommends that Arizona State University, Northern Arizona University and the University of Arizona develop comprehensive information security programs, provide better training for Web developers and conduct regular security tests.

Quick Facts

• Date: 6/12/2008
• Institution: Columbia University
• Type of Incident: Employee Fraud
• Number Affected: 5,000
• Source: Pogo Was Right
• Abstract Source: Columbia Spectator, NY Sun

Abstract
Columbia University is apologizing to students after it discovered that a file available through a Google-hosted Web site contained personal student information. The file in question, a Housing and Dining database, was apparently uploaded by a student working for the Housing department in 2007. The student information was available from February 2007 through June 3, 2008 when an alumna discovered the personal information through a Google search. The university worked with Google to remove the file from the hosted web site. The university is offering two years of credit monitoring for the affected individuals. A petition circulated by Columbia students condemned the Housing department. The petition also called for department to launch an investigation of the student worker responsible for the incident, publicly disclose the results of the investigation the department is lawfully able to disclose and publicly report the steps the department will take to screen employees' ability to properly handle confidential information.