On 31 March or 1 April, a hacker using a foreign web address cracked a university firewall and accessed the names, Social Security numbers, employee ID numbers and birth dates of more than 14,000 current and former staff members, according to a university statement.
The university sent letters to affected personnel, who were offered a year of free credit protection.
Of the victims, nearly 7,000 are current staff members, while more than 7,100 are former university employees.
The university, on discovering the breach on 2 April, blocked access to the exposed database and informed state and federal law enforcement authorities.
University spokesman Jim Lynch told SCMagazine.com today that experts from Cybertrust have been hired to investigate the hacking.
In an unrelated incident, the personal information of about 3,500 current and former chemistry students was compromised when two laptop computers were stolen from the home of a university professor on 24 February.
The laptops were likely not the target of the burglary, and were stolen with a number of other household items, according to Lynch.
Records stored in the laptops contained names, Social Security numbers and grades, according to the university.
Lynch said it’s likely the laptops may have been stolen by thieves not interested in or aware of the personal information contained on them. He was unsure whether the data was encrypted.
Ennio Carboni, director of product management at Ipswitch, told SCMagazine.com that college students are an alluring target for attackers because their credit is often flawless.
"I think it’s very tactical by the hackers. We’re talking about a university with thousands and thousands of Social Security numbers with not a lot of established credit, so they can get those and other information to open up lines of credit," he said.
"When hackers steal information from a large population of adults, it can be good credit and it can be bad credit. With college students, it’s fresh; they haven’t defaulted on home loans or anything like that."
Ohio State is the last in a growing line of education institutions to suffer a data breach.
Late last month, hackers compromised a server to access the personal information of 46,000 students, faculty members and staff of the University of California, San Francisco.
Its sister school, the University of California, Los Angeles, discovered in December of last year that a hacker had been exploiting an undetected security hole in a school database for more than a year. The network contained the personal information of 800,000 people, including current and former students, faculty, staff and applicants.
Last month, Texas A&M University alerted nearly 100,000 network users to change passwords after hackers attempted to access university accounts.
Ohio University sent out more than 300,000 notices in May 2006 after a server breach.
The University of Arizona and the University of Texas at Austin are other high-profile college breach victims.
Ohio State University students and employees affected by the breach are encouraged to call 1-866-515-9332. Staff may visit http://cio.osu.edu/secureinfo/research if they have any questions, while students are encouraged to visit http://cio.osu.edu/secureinfo/chem if they have any questions.
Hackers, laptop thieves compromise personal information of 17,500 in US state
By Frank Washkuch on Apr 19, 2007 9:47AM