Quick Facts

• Date: 12/16/2010
• Institution: Ohio State University
• Type of Incident: Penetration
• Number Affected: 760,000
• Source: ESI
• Abstract Source: The Columbus Dispatch

Abstract
Ohio State University began sending out notifications after a server containing personal information was breached. The server contained the names and Social Security numbers on 760,000 faculty, staff, students, applicants, contractors and consultants. OSU discovered the breach in October during a routine security review. In response, the server was quickly isolated and OSU hired two outside companies, Interhack and Stroz Freidburg, to help investigate the incident. Both companies found evidence that someone had gained unauthorized access but neither could find evidence that the personal information had been accessed. They companies did find evidence that hackers attempted to use the server to launch additional attacks against government agencies and business. OSU withheld notification until after the investigations were completed which did not occur until late November and early December. In the notification letters to the affected individuals, OSU is offering to pay for 12 months of credit monitoring. All told,OSU expects to spend $4 million to pay for forensic investigation and credit card monitoring. More information on the breach can be found at www.osu.edu/creditsafety/.

Special Thanks to Brett Bartow for letting ESI know about this incident. -Adam

Quick Facts

• Date: 9/30/2010
• Institution: Ohio State University
• Type of Incident: Unknown
• Number Affected: 30 to 385
• Source: ESI
• Abstract Source: The Columbus Dispatch

Abstract
According to Ohio State University, four of the six security incident investigations in the past year discovered minor breaches involving personal information. These incidents involved 30 to 385 individuals and all involved Social Security numbers. According to Catherine Bindewald from OSU's Office of the Chief Information Officer there has been no indication that any of this information has been misused and no reports of identity theft from those affected. OSU offers one free year of credit protection to anyone affected by breaches at the university, even if there is no evidence information has been inappropriately accessed. The total number of data breach investigations at OSU has dropped since the school increased security measures and implemented a $50 million student-information system.

Quick Facts

• Date: 6/8/2009
• Institution: Ohio State University
• Type of Incident: Unauthorized Disclosure
• Number Affected: 350
• Source: DataBreaches.net
• Abstract Source: The Lantern

Abstract
Ohio State University's Dining Services is working to protect student workers after an attachment containing sensitive information was accidentally sent in an email. The attachment contained the Social Security numbers of all 350 student workers and was accidentally attached to an email reminding student workers to sign waivers for the retirement program. According to OSU officials, the mistake was caught quickly and the IT department was able to stop many, but not all, emails before they were delivered to the recipient. OSU is offering affected students 12 months of credit protection through Debix at a cost to the university of $11 per student that enrolls.

Quick Facts

• Date: 12/31/2008
• Institution: Ohio State University
• Type of Incident: Unauthorized Disclosure
• Number Affected: 18,000
• Source: Pogo Was Right
• Abstract Source: Columbus Dispatch

Abstract
Ohio State University is working to notify current and former students after student personal information was found accessible via the Internet. The information, including Social Security numbers, names, address and enrollment dates, was accidentally placed on a server exposed to the Internet. OSU has traced the mistake to a third-party vendor working with the university's student health insurance program. The breach appears to have affected 18,000 students enrolled in the insurance program from Fall 2005 to Summer 2006. OSU is offering these individuals 12 months of free credit monitoring. According to OSU officials, the university became concerned in September when students began contacting the university after finding their personal information online. OSU has setup a web site - www.studentlife.osu.edu/dataexposure/ - with more information on the incident.

Quick Facts

• Date: 5/6/2008
• Institution: Ohio State University Agricultural Technical Institute
• Type of Incident: Unauthorized Disclosure
• Number Affected: 192
• Source: Attrition.org
• Abstract Source: The Columbus Dispatch

Abstract
The Ohio State University Agricultural Technical Institute accidentally sent an e-mail containing personal faculty and staff information to about 680 students. The e-mail had an excel attachment that contained names, positions, salaries and Social Security numbers on 192 faculty and staff members. In a follow-up e-mail students were asked to delete the e-mail that contained the personal information. Affected staff and faculty members are being offered free credit monitoring and identity theft protection. When asked if students could be trusted to delete the e-mail OSU ATI spokesperson Frances Whited responded "Of course!"