Home » Identity & Access » Identity Theft

News

Oklahoma State Breach Points to Higher-ed Security Problems

A seemingly neverending string of data breaches at various colleges around the U.S. highlights precisely why university systems and networks continue to have a reputation for being notoriously insecure.

By Jaikumar Vijayan, Computerworld (US online)

May 16, 2008 —

A seemingly neverending string of data breaches at various colleges around the U.S. highlights precisely why university systems and networks continue to have a reputation for being notoriously insecure.

The latest academic institution to disclose a data compromise was Oklahoma State University (OSU), which Wednesday began notifying about 70,000 individuals that their names, addresses, Social Security numbers and other personal data may have been compromised.

The warning followed the discovery in late March of an intrusion into a server belonging to the university's parking and transit services department, according to OSU spokesman Gary Shutt. The server contained information on people who had purchased parking permits from the university dating back to July 2002, according to an advisory posted on OSU's Web site.

Shutt said that the intrusion appears to have been carried out by a hacker in Germany who was looking for a server on which to host movies, TV shows, songs and pornographic content. Thus far, there is no evidence that the attack was perpetrated for the purposes of stealing the data stored on the server. "It appears that the person who came in was just looking for server space," Shutt said. "But because we couldn't be 100% sure, we went ahead and started sending notices."

According to Shutt, the university was alerted to the intrusion after another organization complained that its servers were being probed by the compromised system at OSU. On Wednesday, the university sent out e-mail notices to about 40,000 individuals for whom it had working addresses. The school is sending notices to another 26,000 people via postal mail, Shutt said, adding that it doesn't have contact information for the rest of the people whose data was stored on the server.

The OSU breach is one of eight data compromises at colleges and universities to be listed thus far this month on a Web site called Educational Security Incidents. Since January, a total of 86 data breaches have been reported at educational institutions, according to the ESI site. Most of the incidents involve U.S. schools, although a handful were reported by universities in other countries.

The breaches that have recently come to light at universities include the following:

Earlier this month, Dominican University disclosed that two student employees had used their passwords to improperly access an Excel file that contained the records of 5,215 students. The file was stored "in an unsecure location," according to an advisory posted on Dominican's Web site.

Late last month, Southern Connecticut State University notified 11,000 current and former students that their names, addresses and Social Security numbers may have been accessed by intruders who were using the school's Web server to host an illicit site, allegedly as part of a spamming operation.