Educational Security Incidents (ESI) - Sometimes the free flow of information is unintentional

Eastern Washington University Breach Affects 130,000

Adam Dodge — Thu, 31 Dec 2009 20:08:53 +0000

Quick Facts

Date: 12/31/2009
Institution: Eastern Washington University
Type of Incident: Penetration
Number Affected: 130,000
Source: DataLoss DB
Abstract Source: Seattle PI

Abstract
Eastern Washington University will soon being notifying current and former students following a sever breach. The system contained the names, dates of birth and Social Security numbers of 130,000 students dating back to 1987. The breach was discovered during a security assessment in early December. The investigation into the incident discovered that the system was breached and used to store video files. While the university does not have any evidence the information was accessed inappropriately, letters are being sent out as a precaution. In the letter to affected individuals, EWU President Rodolfo Arevalo stated that the university is treating the breach seriously and will continue to upgrade systems and security practices to protect sensitive information. EWU has setup a web site - www.ewu.edu/x67128.xml - with more information on the breach.

Western Michigan University Web Site Accidentally Exposes Student Information

Adam Dodge — Tue, 22 Dec 2009 20:08:04 +0000

Quick Facts

Date: 12/22/2009
Institution: Western Michigan University
Type of Incident: Unauthorized Disclosure
Number Affected: Unknown
Source: DataBreaches.net
Abstract Source: New Hampshire Attorney General's Office (PDF)

Abstract
Western Michigan University has notified students after a mistake exposes student information online. According to the letter to the NH Attorney General's Office, student information such as Social Security numbers were inadvertently exposed online for "a brief period of time". The information was discovered on December 14, 2009 and the information was immediately removed. According to the university, there is no evidence the information was accessed, letters were sent out offering those affected a one-year membership in a credit monitoring service by IDExperts.

[UPDATE1]Malware Potentially Exposes Penn State Student Information

Adam Dodge — Fri, 18 Dec 2009 23:53:37 +0000

Quick Facts

Date: 12/18/2009
Institution: Penn State University
Type of Incident: Penetration
Number Affected: 30,000 (Updated)
Source: DataLossDB
Abstract Source: Penn State Live
Update1 Source: Pittsburgh Post-Gazette, DataBreachs.net

Abstract
Penn State University is alerting former students after a computer containing personal information was compromised by malware. The computer, found to be infected with malware and communicating to computers outside of the university, contained an archived class list with 261 Social Security numbers. The university removed the infected computer from the network as soon the problem was discovered. According to PSU's chief privacy officer, Sarah Morrow, there is no reason to believe the student information was accessed but Penn State decided to err on the side of caution. As Morrow stated, "Even when theft is only a remote possibility, we alert anyone who may have been affected, and arm them with information and steps to take to mitigate their risk."

Update1
Pennsylvania State University has begun notifying individuals after a large scale malware outbreak was discovered. The outbreak, affecting multiple computers, involved systems containing the names and Social Security numbers of around 30,000 individuals. The systems affected belonged to the Eberly Colelge of Science (7,758 records), the College of Health and Human Development (6,827 records) and Penn State Schuylkill (15,000 records). According to Penn State spokeswoman Annemarie Mountz the Social Security numbers were contained in archived files on the systems affected by the malware and the university does not have any indication the files were accessed. Instead the letters, containing information on protecting against identity theft, were sent out as a precaution. As a result of this and a previous breach this year at Penn State's Behernd campus, Penn State has started initiatives to safeguard information stored on university-owned computers.

North Carolina Colleges Library System Breached

Adam Dodge — Thu, 17 Dec 2009 19:54:29 +0000

Quick Facts

Date: 12/17/2009
Institution: Alamance Community College, Beaufort County Community College, Bladen Community College, Blue Ridge Community College, Brunswick Community College, Central Carolina Community College, College of The Albemarle, Gaston College, Halifax Community College, Haywood Community College, Johnston Community College, Lenoir Community College, Martin Community College, Nash Community College, Pamlico Community College, Piedmont Community College, Richmond Community College, Roanoke-Chowan Community College, Rowan-Cabarrus Community College, Sandhills Community College, Southwestern Community College, Tri-County Community College, Vance-Granville Community College, Wake Tech Community College, Wilson Community College
Type of Incident: Penetration
Number Affected: 51,000
Source: DataBreaches.Net
Abstract Source: NC Community Colleges Press Release (PDF)

Abstract
The North Carolina Community Colleges system began notifying library patrons from 25 NC community colleges after a unauthorized individual gained access to a system housing patron data. The affected server, located in the NC Community Colleges System Office, was found to contain the personal information on 51,000 individuals including 12,400 Drivers License number and 38,500 Social Security numbers. The breach appears to have occurred on August 23, 2009 and NC Community Colleges staff became aware of the breach on August 24, 2009. An initial review discovered that 18 colleges used the Drivers License information to identify patrons. These colleges include Alamance, Beaufort, Blue Ridge, Brunswick, Central Carolina, College of The Albemarle, Gaston, Halifax, Johnston, Martin, Pamlico, Piedmont, Richmond, Rowan-Cabarrus, Tri-County, Vance-Granville, Wake Tech and Wilson. On October 19, 2009, the ongoing investigation uncovered that 12 colleges used Social Security numbers to identify patrons. these colleges include Bladen, Haywood, Lenoir, Nash, Pamlico, Richmond, Roanoke-Chowan, Sandhills, Southwestern, Tri-County, Vance-Granville and Wilson. The letters sent to those affected inform the individuals whether their Drivers License number or Social Security number (or both) were on the server and the letters contain information on how to check and secure credit profiles. NC Community Colleges are working to ensure that all personal data is removed from library systems to help prevent this incident from occurring in the future. The press release did not give a reason for the long delay in notification.

UCSF Doctor Falls Victim to Phishing Scam

Adam Dodge — Tue, 15 Dec 2009 20:00:35 +0000

Quick Facts

Date: 12/15/2009
Institution: University of California, San Francisco
Type of Incident: Penetration
Number Affected: 600
Source: PHIPrivacy.net
Abstract Source: San Francisco Business Times

Abstract
The University of California, San Francisco has alerted patients after a physician's email account was compromised. The email account contained demographic and clinical information as well as some Social Security numbers on 600 patients. The email account became compromised in mid-October after the physician fell victim to a phishing scam. Accordign to UCSF news director Corinna Kaarlela, these 600 individuals were notified staring October 21 and December 11, 2009 which is the period during with the university conducted an in-depth investigation into the incident. While the investigation uncovered no indication the emails were accessed, individuals potentially affected were urged to carefully review statement from health insurers for suspicious payments and immediately report any discrepancies to their insurance provider.

Daytona State College Email System Hacked, Used to Send Bomb Threats

Adam Dodge — Fri, 11 Dec 2009 23:52:31 +0000

Quick Facts

Date: 12/11/2009
Institution: Daytona State College
Type of Incident: Penetration, Impersonation
Number Affected: 1
Source: ESI
Abstract Source: Daytona Beach News-Journal (via Google Cache)

Abstract
Daytona Beach Police are investigating the breach of Daytona State College's email system after the system was used to send out three bomb threats. The bomb threat emails were sent from the hacked system to one of the college's adjunct professors. The emails, which originated from an account belonging to an employee on the Daytona Beach campus, contained references to bombs and a threat to "blow this school up, and kill everyone till they are gone". According to John Banker, the college's security supervisor, the employee was not responsible and someone had hacked into her account. Daytona State College does not feel this is a viable but is taking steps to locate the person responsible.

Valdosta Investigates Server Breach

Adam Dodge — Fri, 11 Dec 2009 23:50:46 +0000

Quick Facts

Date: 12/11/2009
Institution: Valdosta State University
Type of Incident: Penetration
Number Affected: Unknown
Source: ESI
Abstract Source: Valdosta State University News Release

Abstract
Valdosta State University is working to notify current and former faculty and students after staff discovered unauthorized access on a server. The server contained the names, Social Security numbers and grades of students from 1997 to present and faculty from 1996 to present. The unauthorized access was discovered on December 11, 2009 and appears to date back to November 11, 2009. VSU's University Police and Division of Information Technology are investigating the breach along with help from Georgia's Bureau of Investigations. At this point, the university has not determined if personal data was accessed or transfered.

Eastern Illinois University Admissions Server Compromised By Virus

Adam Dodge — Fri, 04 Dec 2009 16:11:25 +0000

Quick Facts

Date: 12/4/2009
Institution: Eastern Illinois University
Type of Incident: Penetration
Number Affected: 9,000
Source: ESI
Abstract Source: EIU Notice to Students, Daily Eastern News

Abstract
Eastern Illinois University recently began notifying current and former students as well as applicants after discovering a security breach involving a server containing applicant information. The server, used by the Office of Admissions, contained the electronic applications for admissions between March 10, 2000 and November 16, 2009. These applications contained names, Social Security numbers, dates of birth, mailing addresses and other contact information on 9000 individuals. The university discovered the server was participating in a botnet on November 16 and took action to remove the server from use. An investigation discovered the server was compromised on November 11. While university officials state there is no evidence anyone accessed the applicant data, Eastern is offering those affected a one year membership for identity theft protection through Experian. When asked about the three week delay in notifying affected individuals, Adam Dodge, Eastern's IT Security Officer, stated that many factors contributed to delay including an in-depth investigation by Dodge's office, gathering information on the individuals on the server, collecting and verifying address information, and contracting with Experian.

Nebraska Lincoln Computer Breach Affects High School graduates

Adam Dodge — Fri, 04 Dec 2009 16:10:05 +0000

Quick Facts

Date: 12/4/2009
Institution: University of Nebraska Lincoln
Type of Incident: Penetration
Number Affected: 4,000
Source: DataLossDB.org
Abstract Source: The Doings Clarendon Hills

Abstract
The University of Nebraska Lincoln began notifying high school graduates after discovering a security breach involving a computer containing personal information. The server, used as part of a student the university was conducting on the practices of school districts and standardized test performances, contained the names, Social Security numbers and ACT test score information on 4,000 high school graduates between 2002 and 2005. The information was gathered from the ACT organization with the permission of the Hinsdale High School District 86, Glenbard District 87 and schools in South Sioux City. An investigation into the incident discovered the computer was not adequately secured which allowed unauthorized external access to the computer and the information. In the letters sent to the 4,000 individuals, the university is offering one year of LifeLock identity theft protection.

Penn State Online Grade Book Breach

Adam Dodge — Mon, 30 Nov 2009 16:08:41 +0000

Quick Facts

Date: 11/30/2009
Institution: Pennsylvania Sate University
Type of Incident: Penetration
Number Affected: 303
Source: ESI
Abstract Source: The Daily Collegian

Abstract
Penn State recently notified current and former students after a security incident may have exposed personal information. On August 3, Penn State Security Operations and Services notified university officials that the online grade book a professor used was compromised by a computer virus. The grade book contained the names, grades and Social Security numbers for 303 current and former students. While the information was taken offline when the problem was discovered, the Dean of the College of Earth and Mineral Sciences did not send letters to those affected until November. University spokesperson Annemarie Mountz stated that the university's response was in line with Pennsylvaina's Breach of Personal Information Notification Act. According to Mountz, there is no evidence this information was accessed by any unauthorized individuals. Mike McEvoy, a class of 2006 alumni affected by this incident, said he was thankful the university took immediate action to remove the information but wishes they had notified him in a more timely manner.