Quick Facts

• Date: 5/22/2009
• Institution: Ball State University
• Type of Incident: Penetration
• Number Affected: 2,000
• Source: ESI
• Abstract Source: Ball State Daily News Online

Abstract
Ball State University officials announced that the recent compromise of one of the university's iWeb servers was caused by user error and not the recently disclosed IIS vulnerability. According to officials, one of the users on the server failed to properly secure their web space which allowed an unknown individual(s) to upload a malicious script to the server. The breached server was one of eight such web servers and housed web accounts for about 2,000 individuals. Most of these 2,000 had their web content replaced with a taunting message. Ball State officials say the iWeb server was backed up a few hours before the breach and most content should be restored soon.

Quick Facts

• Date: 2/4/09
• Institution: Ball State University
• Type of Incident: Unauthorized Disclosure
• Number Affected: 19
• Source: ESI
• Abstract Source: Ball State Daily News Online

Abstract
Ball State University announced that an email sent to special event employees contained personal information. The email, sent to 91 employees to verify information, contained the Social Security numbers of 19 special event employees. According to the Ball State Associate VP for Marketing and Communications Tony Proudfoot, the Social Security numbers were accidentally entered into the Employee ID field by the employees themselves. The university became aware of the problem within minutes of sending the email as employees began contacting the university. Once notified, Ball State employees went to work requesting email recipients delete the email and contacting the 19 affected individuals to offer to cover any identity theft expenses suffered by the individuals.