Ohio University suffers security breaches

By Greg Sandoval
Staff Writer, CNET News.com

Published: May 11, 2006, 7:00 PM PDT

Data thieves may have plundered Social Security numbers and other private information--including health records--belonging to students and faculty at Ohio University following three separate computer intrusions at the school.

According to a message posted on the school's Web site, more than 200,000 people may have been victimized, including past and present students as well as school employees.

Administrators also suggested that more thefts may be uncovered as investigators continue to review computer systems campuswide.

While this is only the latest in a long string of electronic attacks on the nation's universities, the case appears to be unprecedented because of the number of data thefts discovered at one time at one school.

As part of its investigation, the university said on its Web site, it has sought the help of the FBI, forensic consultants and other universities that have suffered similar intrusions "to improve the security of data and IT resources" throughout the university.

"E-mails and letters have been or are being sent to all constituents whose personal information may have been compromised," the school said in a statement.

Last month, the FBI alerted the university's administration that a server within the school's Technology Transfer Department had been compromised. Little personal information was believed to be lost in that breach, but a second breach was found three days later on April 24.

The school's electronic-security team discovered that a server within alumni relations had been commandeered and was being used in a denial of service attack. The Social Security numbers of about 137,000 people were stored in that server.

On Thursday, the school announced that it had found a third intrusion at its health center involving 60,000 people including all current students as well as some school faculty.

In addition to Social Security numbers, the compromised server in the health department held health records.

Last month, a 25-year-old San Diego man was charged with hacking into the University of Southern California's online application system and nabbing personal data from prospective students.

In January, the University of Notre Dame began investigating an electronic break-in that may have exposed the personal and financial information of school donors.