Educational Security Incidents (ESI)

Quick Facts

• Date: 7/2/2008
• Institution: University of Nebraska at Kearney
• Type of Incident: Penetration
• Number Affected: 2,035
• Source: ESI
• Abstract Source: NTV

Abstract
The University of Nebraska at Kearney has begun sending letters to former students after nine computers where discovered to have been compromised by an unknown individual. These computers, located in the College of Natural and Social Sciences contained information on advisees in the Department of History in 2002 and 2003, deciding students in Fall 2001 and Fall 2002, and students in the online Master of Science in Biology program since Spring 2005 including 2,035 student Social Security numbers. According to university officials, no academic records were affected. The university has created a web site - www.unk.edu/securityincident/ - and a hotline - 308-865-8950 - where concerned individuals can get more information. On the web site, the university recommends that students affected by this incident place fraud alerts on their credit reports.

Quick Facts

• Date: 6/25/2008
• Institution: Cornell University
• Type of Incident: Theft
• Number Affected: 2,500
• Source: ESI
• Abstract Source: The Ithaca Journal

Abstract
Cornell University recently announced that it will begin offering one year of free credit protection to 2,500 students whose personal information may have been copied from a desktop computer. The possible breach was discovered in March, when Cornell staff found a computer in the Office of Minority Educational Affairs was infected with several viruses and malware that could have been used to record and steal information on the computer. One of the files on this affected computer contained a spreadsheet with names and Social Security numbers of a large number students and alumni that had participated in the University's Pre-Freshman Summer Program.

Quick Facts

• Date: 6/21/2008
• Institution: Arizona State University, Northern Arizona University, University of Arizona
• Type of Incident: Unauthorized Disclosure
• Number Affected: 10,000
• Source: ESI
• Abstract Source: The Arizona Republic

Abstract
A recent state audit has uncovered a number of serious weaknesses in the web systems at Arizona state's universities. State auditors were able to access personal information, including names and Social Security numbers, of 10,000 individuals. In addition, auditors found weaknesses that, if exploited, would allow an individual to take over large numbers of user accounts, change records and install malicious software. The audit only looked at a small percentage of web applications at the universities and the auditors believe that similar vulnerabilities are likely to exist in other web-based applications at the universities. The audit recommends that Arizona State University, Northern Arizona University and the University of Arizona develop comprehensive information security programs, provide better training for Web developers and conduct regular security tests.

Quick Facts

• Date: 6/10/2008
• Institution: University of Utah
• Type of Incident: Theft
• Number Affected: 1,500,000 (Revised)
• Source: ESIhttp://www.adamdodge.com/esi/node/352/edit
• Abstract Source: University Health Care News Release
• Update1 Source: The Salt Lake Tribune
• Update2 Source: The Salt Lake Tribune

Abstract
The University of Utah Hospitals & Clinics is currently notifying 2.2 million patients about the theft of medical billing records. On June 2, a box of backup tapes containing patient and guarantors billing records was stolen out of a car belonging to a contracted independent storage company. The tapes contained the personal information on 2.2 million patients and guarantors including patient names, related demographic information and diagnostic codes. In addition, these records contained the Social Security numbers of 1.3 million patients. The Salt Lake County Sheriff’s Department, the FBI and the U.S. Postal Service are investigating the theft. According to Lorris Betz, M.D., Ph.D, Senior Vice President for Health Sciences, University of Utah Hospitals & Clinics is taking aggressive steps to protect patient confidentiality including notifying all 2.2 million individual through postal mail, offering one year of free credit monitoring to those whose SSNs were on the tapes and offering a $1,000 reward for the return of the tapes, no questions asked. The University of Utah Hospitals & Clinics has also setup a hotline - 866-581-3599 - and a web site - healthcare.utah.edu/billingrecordstheft - to help answer any questions and provide more information about the theft.

Update1
The University of Utah Hospitals & Clinics has revised the total number of affected individuals to 1.5 million. The revised count takes into account duplicate records and records on deceased individuals. However, the university also removed individuals where there is no valid address for the record. A spokesperson encouraged anyone who is concerned that they might be affected to call the hotline setup by University of Utah Hospitals and Clinics, especially if they do not receive a notification letter by July 1.

Update2
The stolen backup tapes containing 1.5 million University of Utah Hospital and Clinics patient records have been recovered according to the Salt Lake County Sheriff's Office. Detail surrounding the recovery are not available at this time but no arrests have been made concerning the theft. Salt Lake County sheriff's Lt. Paul Jaroscak called the investigation in to the theft deep and ongoing.

Quick Facts

• Date: 6/10/2008
• Institution: University of Florida
• Type of Incident: Unauthorized Disclosure
• Number Affected: 11,300
• Source: ESI
• Abstract Source: InsideUF

Abstract
The University of Florida began notifying current and past student that their personal information was found available online during a routine audit. The audit discovered that the names, address and Social Security numbers of 11,300 current and former UF students was available online through an Office for Academic Support and Institutional Service (OASIS) website. The site was developed by a former student employee and was used to allow student workers remote access to OASIS records while at remote locations. According to Joe Glover, interim dean of the College of Liberal Arts and Sciences, the student worker did not put any security controls in place to limit the access to this data. The OASIS site was actively used from 2003 through 2005 but remained online until the university discovered this incident and removed the information. The university has setup a hot line - 866-876-HIPA - and web site - privacy.ufl.edu/ - to help answer any questions affected individuals may have.