Educational Security Incidents (ESI)

Quick Facts

• Date: 9/3/2008
• Institution: Clarkson University
• Type of Incident: Unauthorized Disclosure
• Number Affected: 245
• Source: Pogo Was Right
• Abstract Source: Clarkson Integrator

Abstract
On August 26, a non-malicious student discovered they could access a file containing Clarkson University employee information on a secured Clarkson server. The file contained the names, dates of birth and Social Security numbers of 245 current and former employees. The student that discovered the file immediately alerted the university, which launched an investigation into the incident. According to the university, the file became available on August 25 when work on the server caused the permissions to default back to open. The investigation determined that the only person to access the file during the brief period it was unsecured was that student that reported the incident. The university contacted all of the affected individuals and briefed them on the incident. When the Clarkson Integrator spoke with Kelly Chezum, the Assistant to the President for Strategic Advancement, she responded that, as a person affected by the incident, she "feel[s] pretty confident my personal information is fine."

Quick Facts

• Date: 9/2/2008
• Institution: University of Illinois
• Type of Incident: Impersonation
• Number Affected: 1
• Source: ESI
• Abstract Source: News Gazette
• Update1 Source: Daily Illini

Abstract
University of Illinois officials are working to track down who sent a fraudulent email message purportedly from Chancellor Richard Herman. The e-mail message, sent from the chancellor AT uillinois.edu e-mail account, denounces fraternities and sororities calling recruiting activities "aggressive" and claiming that such organizations "perpetuate social inequality, especially with respect to the opposite gender, and promote a lack of diversity." According to officials within the Office of the Chancellor, which controls the chancellor AT uillinois.edu, the e-mail was sent from the account but that the e-mail was not sent by the chancellor. The Campus Information Technologies and Educational Services (CITES) staff is looking into how this e-mail was sent and is attempting to determine how many people received the fraudulent e-mail. According to Robin Kaler, the UI's associate chancellor for public affairs, the university plans to take disciplinary action against the individual responsible for sending the e-mail.

Update1
According to Mike Corn, director of security and privacy for CITES, the hoax email was not the result of a security breach. While the email appeared to be sent to "everyone@uillinois.edu", that was not the case. According to Corn, this part of the email was just text and the email was just another form of "phishing", designed to get grab everyone's attention.

Quick Facts

• Date: 9/2/2008
• Institution: Ivy Tech Community College
• Type of Incident: Unauthorized Disclosure
• Number Affected: Unknown
• Source: ESI
• Abstract Source: Ivy Tech Security Notice

Abstract
An astute reader wrote ESI to make us aware of a recent incident at Ivy Tech Community College. According to the Ivy Tech Security Notice, a "clerical error" when sharing a file containing student information caused the file to be shared with all Ivy Tech Indianapolis region employees. The file contained names, addresses and Social Security numbers of all students enrolled in spring 2008 distance education courses. The internal investigation reviled the between July 28 and July 31, 102 Ivy Tech employees accessed the file in question. In an alert to students, Ivy Tech recommends that the students place fraud alerts on their credit files as a precaution. Ivy Tech has created a web site - www.ivytech.edu/about/security/faq-0708.html - to help answer questions about the incident.

Corrected number of Ivy Tech employees accessing the file from 108 to 102. - Adam

Quick Facts

• Date: 8/30/2008
• Institution: Rochester Institute of Technology - National Technical Institute for the Deaf
• Type of Incident: Theft
• Number Affected: 13,800
• Source: Attrition.org
• Abstract Source: WHAM

Abstract
Rochester Institute of Technology began notifying individuals associated with the National Technical Institute for the Deaf after a laptop containing personal information was discovered missing on August 25. According to RIT officials, the laptop contained the names, birth dates and Social Security numbers of the 12,700 individuals that had enrolled in the NTID since 1968. In addition, 1,100 members of the RIT community are affected by the theft as well. RIT officials are working with the Monroe County Sheriff's Department and urge affected individuals to place fraud alerts on their credit files. RIT has setup a hotline - 866-624-8330 - and web site - www.rit.edu/news/?v=46283 - to help answer additional questions about the theft.

Quick Facts

• Date: 8/27/2008
• Institution: Kansas State University
• Type of Incident: Theft
• Number Affected: 86
• Source: ESI
• Abstract Source: KTKA

Abstract
Kansas State University's Division of Continuing Education is notifying students that papers stolen from a parked car contained their personal information. The papers, stolen out of a professor's parked car, contained the names and Social Security numbers of 86 students that had taken Res 200 between Fall 2007 and Summer 2008. K-State is in the process of phasing out Social Security numbers and recently implemented a new student system which no longer uses Social Security numbers as student IDs. The university also plans to launch an education and awareness campaign for faculty and staff on protecting student information.