Oklahoma State breach points to ongoing higher-ed security challenges

May 15, 2008 (Computerworld) A seemingly never-ending string of data breaches at various colleges around the U.S. highlights precisely why university systems and networks continue to have a reputation for being notoriously insecure.

The latest academic institution to disclose a data compromise was Oklahoma State University (OSU), which yesterday began notifying about 70,000 individuals that their names, addresses, Social Security numbers and other personal data may have been compromised.

The warning followed the discovery in late March of an intrusion into a server belonging to the university's parking and transit services department, according to OSU spokesman Gary Shutt. The server contained information on people who had purchased parking permits from the university dating back to July 2002, according to an advisory posted on OSU's Web site.

Shutt said that the intrusion appears to have been carried out by a hacker in Germany who was looking for a server on which to host movies, TV shows, songs and pornographic content. Thus far, there is no evidence that the attack was perpetrated for the purposes of stealing the data stored on the server. "It appears that the person who came in was just looking for server space," Shutt said. "But because we couldn't be 100% sure, we went ahead and started sending notices."

According to Shutt, the university was alerted to the intrusion after another organization complained that its servers were being probed by the compromised system at OSU. On Wednesday, the university sent out e-mail notices to about 40,000 individuals for whom it had working addresses. The school is sending notices to another 26,000 people via postal mail, Shutt said, adding that it doesn't have contact information for the rest of the people whose data was stored on the server.

The OSU breach is one of eight data compromises at colleges and universities to be listed thus far this month on a Web site called Educational Security Incidents. Since January, a total of 86 data breaches have been reported at educational institutions, according to the ESI site. Most of the incidents involve U.S. schools, although a handful were reported by universities in other countries.

The breaches that have recently come to light at universities include the following:

• Earlier this month, Dominican University disclosed that two student employees had used their passwords to improperly access an Excel file that contained the records of 5,215 students. The file was stored "in an unsecure location," according to an advisory posted on Dominican's Web site.
• Late last month, Southern Connecticut State University notified 11,000 current and former students that their names, addresses and Social Security numbers may have been accessed by intruders who were using the school's Web server to host an illicit site, allegedly as part of a spamming operation.
• In March, Antioch University in Yellow Springs, Ohio, disclosed that unknown cybercrooks had broken into its main ERP server on multiple occasions last year and stolen the personal data of about 60,000 individuals.
• That same month, Lasell College in Newton, Mass., disclosed that one of its employees had illegally accessed a database containing the Social Security numbers and other personal data of about 20,000 people.
• The personal information of about 10,000 graduate students at Harvard University was exposed by a server intrusion that was discovered in February and publicly disclosed the following month.