Educational Security Incidents (ESI) - Sometimes the free flow of information is unintentional

Stolen Laptop Contains Indiana State University Student Information

Adam Dodge — Tue, 15 Jul 2008 16:04:22 -0500

Quick Facts

Date: 7/15/2008
Institution: Indiana State University
Type of Incident: Theft
Number Exposed: 2,500
Source: ESI
Abstract Source: The Tribune-Star

Abstract
Indiana State University is working to alert more then 2,500 current and former students about the theft of a laptop containing student information. The laptop, stolen from an economics professor while traveling in southern Indiana, contained students names, grades, e-mail addresses, student ID numbers (after 2003) and Social Security numbers (up to 2003) for students that had taken economics classes between 1997 and spring semester 2008. According to the university, there is no evidence of any identity theft but the university urges affected students to place fraud alerts on their credit reports.

CSU Chico Prof Exposes 30 Students Info Online

Adam Dodge — Tue, 15 Jul 2008 08:05:07 -0500

Quick Facts

Date: 7/15/2008
Institution: California State University, Chico
Type of Incident: Unauthorized Disclosure
Number Affected: 30
Source: SSNBreach.org
Abstract Source: SSNBreach.org Media Release

Abstract
In May, the Liberty Coalition notified California State University, Chico that it discovered an excel file online that contained student information. The file, placed online in 2003 by a Computer Science professor, contained the names, partial Social Security numbers, test scores and lab scores of 30 students. The information appears to be on former students of Jim McElroy. The university quickly removed the file once notified and the file is no longer available through search engine caches.

Sixty Online Files Contain Information On Thousands of U. Texas Austin Students

Adam Dodge — Mon, 14 Jul 2008 17:08:28 -0500

Quick Facts

Date: 7/11/2008
Institution: University of Texas, Austin
Type of Incident: Unauthorized Disclosure
Number Affected: 2,490
Source: SSNBreach.org
Abstract Source: SSNBreach.org Media Release

Abstract
SSNBreach.org has announced that it discovered containing personal and sensitive information on University of Texas, Austin students and staff was available online. The information, contained in over 60 different files, contained information such as names, addresses, 66 social security numbers, 459 partial social security numbers, phone numbers, e-mails, scores, GPA, GRE Scores, Majors, Race, Gender, GPA, phone numbers, tax information, and other personal information. The files were found to have been posted online by at least four different faculty members. The university restricted access in January after being notified by SSNBreach.org but the files were still accessible through search engine caches through at least May 2008.

Nine University of Nebraska at Kearney Computer Compromised

Adam Dodge — Wed, 02 Jul 2008 11:39:23 -0500

Quick Facts

Date: 7/2/2008
Institution: University of Nebraska at Kearney
Type of Incident: Penetration
Number Affected: 2,035
Source: ESI
Abstract Source: NTV

Abstract
The University of Nebraska at Kearney has begun sending letters to former students after nine computers where discovered to have been compromised by an unknown individual. These computers, located in the College of Natural and Social Sciences contained information on advisees in the Department of History in 2002 and 2003, deciding students in Fall 2001 and Fall 2002, and students in the online Master of Science in Biology program since Spring 2005 including 2,035 student Social Security numbers. According to university officials, no academic records were affected. The university has created a web site - www.unk.edu/securityincident/ - and a hotline - 308-865-8950 - where concerned individuals can get more information. On the web site, the university recommends that students affected by this incident place fraud alerts on their credit reports.

Cornell Offers Student Credit Protection As A Precaution

Adam Dodge — Wed, 25 Jun 2008 18:23:31 -0500

Quick Facts

Date: 6/25/2008
Institution: Cornell University
Type of Incident: Theft
Number Affected: 2,500
Source: ESI
Abstract Source: The Ithaca Journal

Abstract
Cornell University recently announced that it will begin offering one year of free credit protection to 2,500 students whose personal information may have been copied from a desktop computer. The possible breach was discovered in March, when Cornell staff found a computer in the Office of Minority Educational Affairs was infected with several viruses and malware that could have been used to record and steal information on the computer. One of the files on this affected computer contained a spreadsheet with names and Social Security numbers of a large number students and alumni that had participated in the University's Pre-Freshman Summer Program.

Former Southeast Missouri State University Employee Found With Student Information

Adam Dodge — Mon, 23 Jun 2008 13:20:51 -0500

Quick Facts

Date: 6/23/2008
Institution: Southeast Missouri State University
Type of Incident: Employee Fraud
Number Affected: 800
Source: Pogo Was Right
Abstract Source: KFVS

Abstract
Southeast Missouri State University is working to alert students after it discovered that student personal information may be at risk. During a review of activity logs, the university discovered that a former employee had access hundreds of student records. According to university officials, records of 800 students, which included names and Social Security numbers, were found in the former employee's computer files. The university has filed charges against the former employee. The university has also setup a web site - www.semo.edu/identityalert/ - where students can find more information. Students wish additional questions are encouraged to call - (573) 986-6800 - or e-mail - identityalert@semo.edu - the university.

Arizona State Audit Discovers Student Information Is At Risk

Adam Dodge — Sat, 21 Jun 2008 09:10:47 -0500

Quick Facts

Date: 6/21/2008
Institution: Arizona State University, Northern Arizona University, University of Arizona
Type of Incident: Unauthorized Disclosure
Number Affected: 10,000
Source: ESI
Abstract Source: The Arizona Republic

Abstract
A recent state audit has uncovered a number of serious weaknesses in the web systems at Arizona state's universities. State auditors were able to access personal information, including names and Social Security numbers, of 10,000 individuals. In addition, auditors found weaknesses that, if exploited, would allow an individual to take over large numbers of user accounts, change records and install malicious software. The audit only looked at a small percentage of web applications at the universities and the auditors believe that similar vulnerabilities are likely to exist in other web-based applications at the universities. The audit recommends that Arizona State University, Northern Arizona University and the University of Arizona develop comprehensive information security programs, provide better training for Web developers and conduct regular security tests.

Student Employee Places Columbia Student Information On Google-hosted Site

Adam Dodge — Thu, 12 Jun 2008 15:00:00 -0500

Quick Facts

Date: 6/12/2008
Institution: Columbia University
Type of Incident: Employee Fraud
Number Affected: 5,000
Source: Pogo Was Right
Abstract Source: Columbia Spectator, NY Sun

Abstract
Columbia University is apologizing to students after it discovered that a file available through a Google-hosted Web site contained personal student information. The file in question, a Housing and Dining database, was apparently uploaded by a student working for the Housing department in 2007. The student information was available from February 2007 through June 3, 2008 when an alumna discovered the personal information through a Google search. The university worked with Google to remove the file from the hosted web site. The university is offering two years of credit monitoring for the affected individuals. A petition circulated by Columbia students condemned the Housing department. The petition also called for department to launch an investigation of the student worker responsible for the incident, publicly disclose the results of the investigation the department is lawfully able to disclose and publicly report the steps the department will take to screen employees' ability to properly handle confidential information.

[Update2]Stolen University of Utah Hospitals & Clinics Backup Tapes Contained 2.2 Million Billing Records

Adam Dodge — Tue, 10 Jun 2008 15:36:55 -0500

Quick Facts

Date: 6/10/2008
Institution: University of Utah
Type of Incident: Theft
Number Affected: 1,500,000 (Revised)
Source: ESIhttp://www.adamdodge.com/esi/node/352/edit
Abstract Source: University Health Care News Release
Update1 Source: The Salt Lake Tribune
Update2 Source: The Salt Lake Tribune

Abstract
The University of Utah Hospitals & Clinics is currently notifying 2.2 million patients about the theft of medical billing records. On June 2, a box of backup tapes containing patient and guarantors billing records was stolen out of a car belonging to a contracted independent storage company. The tapes contained the personal information on 2.2 million patients and guarantors including patient names, related demographic information and diagnostic codes. In addition, these records contained the Social Security numbers of 1.3 million patients. The Salt Lake County Sheriff’s Department, the FBI and the U.S. Postal Service are investigating the theft. According to Lorris Betz, M.D., Ph.D, Senior Vice President for Health Sciences, University of Utah Hospitals & Clinics is taking aggressive steps to protect patient confidentiality including notifying all 2.2 million individual through postal mail, offering one year of free credit monitoring to those whose SSNs were on the tapes and offering a $1,000 reward for the return of the tapes, no questions asked. The University of Utah Hospitals & Clinics has also setup a hotline - 866-581-3599 - and a web site - healthcare.utah.edu/billingrecordstheft - to help answer any questions and provide more information about the theft.

Update1
The University of Utah Hospitals & Clinics has revised the total number of affected individuals to 1.5 million. The revised count takes into account duplicate records and records on deceased individuals. However, the university also removed individuals where there is no valid address for the record. A spokesperson encouraged anyone who is concerned that they might be affected to call the hotline setup by University of Utah Hospitals and Clinics, especially if they do not receive a notification letter by July 1.

Update2
The stolen backup tapes containing 1.5 million University of Utah Hospital and Clinics patient records have been recovered according to the Salt Lake County Sheriff's Office. Detail surrounding the recovery are not available at this time but no arrests have been made concerning the theft. Salt Lake County sheriff's Lt. Paul Jaroscak called the investigation in to the theft deep and ongoing.

University of Florida Current, Past Student Information Available Online

Adam Dodge — Tue, 10 Jun 2008 13:09:20 -0500

Quick Facts

Date: 6/10/2008
Institution: University of Florida
Type of Incident: Unauthorized Disclosure
Number Affected: 11,300
Source: ESI
Abstract Source: InsideUF

Abstract
The University of Florida began notifying current and past student that their personal information was found available online during a routine audit. The audit discovered that the names, address and Social Security numbers of 11,300 current and former UF students was available online through an Office for Academic Support and Institutional Service (OASIS) website. The site was developed by a former student employee and was used to allow student workers remote access to OASIS records while at remote locations. According to Joe Glover, interim dean of the College of Liberal Arts and Sciences, the student worker did not put any security controls in place to limit the access to this data. The OASIS site was actively used from 2003 through 2005 but remained online until the university discovered this incident and removed the information. The university has setup a hot line - 866-876-HIPA - and web site - privacy.ufl.edu/ - to help answer any questions affected individuals may have.