Quick Facts

• Date: 1/15/2010
• Institution: Ohio University
• Type of Incident: Unauthorized Disclosure
• Number Affected: None
• Source: ESI
• Abstract Source: The Columbus Dispatch

Abstract
A recent audit at Ohio University discovered student information was unsecured. The audit, conducted internal to the university, discovered that computers at two Ohio University campuses contained student Social Security numbers and were not encrypted or protected against theft. One of the computers was discovered in the College of Education on the main campus which prompted a review of all university owned computers. The other computers, six in total, were discovered on the Zanesville campus. There is no evidence to suggest that the information on these computers were exposed, stolen or misused.

Quick Facts

• Date: 12/23/2008
• Institution: Ohio University - Chillicothe
• Type of Incident: Theft
• Number Affected: 38
• Source: Pogo Was Right
• Abstract Source: Chillicothe Gazette

Abstract
Ohio University - Chillicothe is working to alert members of the university's Health Wellness Center after staff discovered the theft of a hard drive containing personal information. The drive, part of a stand-alone machine using specialized software, contained the names and Social Security numbers of 38 current and former members. OU-C discovered the theft on December 9th and began investigating the incident. According to OU-C officials, the information is very difficult to access without the special software used by the Health Wellness Center. However, to help protect the individuals affected by this incident, OU-C is offering one year of free credit monitoring to the 38 current and former members affected by the theft.

Quick Facts

• Date: 7/25/08
• Institution: Ohio University
• Type of Incident: Unauthorized Disclosure
• Number Affected: 492
• Source: Attrition.org
• Abstract Source: The Columbia Dispatch

Abstract
A clerical error at Ohio University's Centers for Osteopathic Research and Education (CORE) caused personal information on 492 individuals to be posted online. The data, contained in an excel spreadsheet, contained the names, Social Security numbers, addresses, contact numbers and federal employment identification numbers of individuals that had spoke at CORE according to a university spokesperson. The spreadsheet had been available from March 20 until it was removed on June 16 when a nurse discovered the file while doing research online. According to CORE the document that should have been posted did not contain any personal information. The individual that made the error was placed on paid administrative leave pending a review. CORE has created a web site - www.ohiocore.org/answers - and hotline - 866-437-8698 - to help answer questions.

Quick Facts

• Date: 3/4/2008
• Institution: Ohio University
• Type of Incident: Unauthorized Disclosure
• Number Affected: 25,000
• Source: Pogo Was Right
• Abstract Source: The Post
• Update Source: The Chronicle of Higher Education

Abstract
David M. Hendricks Jr., a Post reporter and Ohio University Resident Assistant, recently alerted Ohio University that pictures of 25,000 OU students were available via the Internet. The pictures, part of the university's Community Incident Report web site, were discovered after Hendricks started added different words to the end of the site's address. Hendricks found that the pictures came up without any need for him to use his RA login and password to the Community Incident Report system. Ohio University secured the site within hours of notification and it does not appear the site was indexed or cached by any search engine. The pictures were not accompanied by names but did include 10-digit identification codes that allow appear on student IDs. According to Patrick Beatty, Associate University Registrar, pictures are not considered directory information by the university. According to OU's Internal Audit guidelines, posting a student’s picture on a Web site without a signed release is a violation of federal privacy law.

Update1: Ohio University is disputing the claims made by the OU newspaper that 25,000 student pictures were available to the Internet with no protections. According to OU CIO Bruce Bible, "It's been overblown. There has been nothing exposed, and the information was non-descriptive to start with. There is no sensitive data tied to this site." According to Bible, to get access to all of the pictures, a resident assistant would need to first log in and then right-click to get the address for the entire directory. This address could then be shared with others.

Quick Facts

• Date: 6/9/2006
• Institution: Ohio University
• Type of Incident: Penetration
• Number Affected: 70,000
• Source: Attrition.Org
• Abstract Source: Ohio News Now

Abstract

Ohio University officials announced that two more computer systems were discovered to have been the victims of criminal computer attacks. These recent breaches exposed personal information on over 70,000 individuals including subcontractors paid by Ohio University over the past two years. In a letter sent out to affected individuals the university was quick to point out that there has been no evidence that personal information was being used to commit fraud or identity theft.