Educational Security Incidents (ESI)

Quick Facts

• Date: 5/15/2008
• Institution: Oklahoma State University - Stillwater
• Type of Incident: Penetration
• Number Affected: 70,000
• Source: ESI
• Abstract Source: The Daily O'Collegian, OSU - Stillwater Incident Alert
• Update1 Source: The Oklahoman

Abstract
Oklahoma State University - Stillwater is alerting staff and faculty that a parking server containing personal information was recently breached by an unknown individual(s). The server, used by the University's parking and transit services, housed a database containing the names, addresses, phone numbers, e-mail addresses and Social Security numbers on an unknown number of faculty and staff. After investigating the breach, OSU - Stillwater believes the attacker(s) breached the server for bandwidth and storage space, not the information housed on the system. However, OSU - Stillwater officials are working to notify any faculty or staff member that had purchased a parking permit between July 2002 and March 2008 just to be safe. President Burns Hargis called the security incident "totally unacceptable" and apologized for the incident. OSU - Stillwater has setup a website - idalert.okstate.edu/incident_00003.html - with more information.

Update1
The recent breach at Oklahoma State University affected a total of 70,000 students, faculty and staff. The university discovered the server breach back in March but waited until May to begin notifying individuals. According to officials the delay was due to an investigation to determine if the Social Security numbers had been accessed. The university was not able to make a determination. The affected server has been taken offline and the Social Security numbers have been removed.

Quick Facts

• Date: 5/14/2008
• Institution: Colorado State University
• Type of Incident: Unauthorized Disclosure
• Number Affected: 204
• Source: SSNBreach.org
• Abstract Source: SSNBreach.org Media Release

Abstract
The Liberty Coalition announced that it has notified Colorado State University that Warner College of Natural Resources student information was available online. The information included the names and Social Security numbers of 204 students and was contained in four different files. Colorado State officials removed the files within an hour of notification and immediately contacted major search engines to remove the files from caches. Colorado State plans to begin notifying affected students in the next few days. This most recent exposure is similar to the January 2008 incident in that the files again belonged to Warner College of Natural Resources, were on the same server and in the same sub-directory of those containing student information in January. According to Colorado State officials, Warner College is implementing plans to regularly scan its web site for files containing personal information.

Quick Facts

• Date: 5/9/2008
• Institution: Princeton University
• Type of Incident: Unauthorized Disclosure
• Number Affected: 103
• Source: Pogo Was Right
• Abstract Source: The Daily Princetonian

Abstract
The Princeton University Tower Club recently altered alumni after an e-mail to current members contained alumni information. The e-mail in question was sent with a spreadsheet containing the names and Social Security numbers of 103 alumni from 2006 and 2007 attached. Tower Club officers sent an e-mail asking those individuals that received the alumni information to delete the message "out of respect for '07". In an e-mail to the affected alumni, Tower graduate board chair Greg Berzolla said that Tower will pay for one year of identity theft protection. According to Berzolla, the spreadsheet was attached due to a technical glitch. “[The e-mail system] took an old e-mail and used it as a template [for Wednesday’s e-mail] as near as we can guess. It’s not a system very many people use or understand, that’s the problem," said Berzolla.

Quick Facts

• Date: 5/8/2008
• Institution: Dominican University
• Type of Incident: Unauthorized Disclosure
• Number Affected: 5,000
• Source: Pogo Was Right
• Abstract Source: NBC5

Abstract
Dominican University is alerting current and former students after it discovered two student workers had inappropriately accessed files containing personal information on the university's network. The files, three excel spreadsheets, contained the names, addresses, phone numbers, birthdays and Social Security numbers on over 5,000 current and former DU students. According to a statement released by the university, DU has notified all of the affected individuals and is working with local police and that state's attorney's office. In the letter to students, DU recommended the affected individuals contact the three credit bureaus and place fraud alerts on their accounts.

Quick Facts

• Date: 5/6/2008
• Institution: Ohio State University Agricultural Technical Institute
• Type of Incident: Unauthorized Disclosure
• Number Affected: 192
• Source: Attrition.org
• Abstract Source: The Columbus Dispatch

Abstract
The Ohio State University Agricultural Technical Institute accidentally sent an e-mail containing personal faculty and staff information to about 680 students. The e-mail had an excel attachment that contained names, positions, salaries and Social Security numbers on 192 faculty and staff members. In a follow-up e-mail students were asked to delete the e-mail that contained the personal information. Affected staff and faculty members are being offered free credit monitoring and identity theft protection. When asked if students could be trusted to delete the e-mail OSU ATI spokesperson Frances Whited responded "Of course!"