Hacker gets private data on students at Ohio University

May 11, 2006

Associated Press


ATHENS, Ohio - Private information for all students enrolled at Ohio University since fall 2001 was stolen in the third electronic security breach discovered in three weeks, the school reported Thursday.

It was the first time Social Security numbers and other private information for current students was compromised in the data thefts. The FBI found and alerted the school to the first breach last month, and two more have been discovered in the university's own review of all its systems.

More breaches could be found as 20 employees working seven-day weeks continue the review, which could take another 10 days to finish, said Bill Sams, head of information technology. "We're going through every system from top to bottom," he said.

Names, birth dates, Social Security numbers and medical information for 60,000 people were accessed in records at the school's Hudson Health Center, the university discovered last Thursday. The student clinic has records on all Athens campus students dating back to 2001, plus faculty, workers and regional campus students who sought treatment there.

As it did with the previous thefts, the university sent e-mails Thursday to the affected people and will follow up with letters.

The alerts couldn't be sent to students earlier because names in the database couldn't be accessed while the school backed it up to preserve evidence and rebuilt it with proper security, Sams said.

The university reported two data thefts within three days of each other in late April. Someone gained unauthorized access to records on more than 300,000 people and organizations in the alumni relations department, including 137,000 Social Security numbers, and to a server at the school's business incubator that contained e-mails and patent and intellectual property files.

After those thefts, the university set up a Web site and hot line, (740) 566-7448 or (800) 901-2303, with tips on how to prevent fraudulent use of personal information.

The school also has hired a security consultant.

"Given the breadth and the number of these we are operating under the assumption that we've got to make major changes very quickly," Sams said.

Ohio University also has called other schools that had breaches, including Miami University in Oxford in southwest Ohio. Miami reported in September that someone had accidentally posted a grade report that included student names and Social Security numbers on a site accessible by the Internet.

[an error occurred while processing this directive]