TMCnet News

Hacked off: Data thefts leave Ohio University scrambling, students and alumni steaming
[June 19, 2006]

Hacked off: Data thefts leave Ohio University scrambling, students and alumni steaming


(Columbus Dispatch (Ohio) (KRT) Via Thomson Dialog NewsEdge) Jun. 19--ATHENS, Ohio -- Linda Couture is no technophobe.

She earned a good living in marketing and communication as one of the first women in the aerospace defense industry.

But she always has been leery of digitally tossing around personal information, declining to bank or shop online.

Then she learned that her Social Security number, which she gave Ohio University as a freshman more than a halfcentury ago, had been stolen.

A betrayed Couture decided that OU is out of her will because it allowed hackers to rummage around an alumnirelations computer mistakenly left exposed for more than a year.

It pains the 70-year-old from Alexandria, Va., to scuttle plans to leave a significant endowment to OU. The Ohio native said she has made numerous donations to her alma mater over the years.

"I love the school. My success has been predicated on the wonderful education I received. So this was really upsetting to me," said Couture, who earned an associate degree in 1955.

OU has taken a hit in pride, prestige and perception because of ongoing revelations that computer servers at the Athens school were a rich mine of material for data thieves.

Unhappy alumni

Some victims are incensed that OU violated their trust by failing to ensure their privacy.

University officials didn't know the school was being hacked until the FBI, which is investigating the breaches, told them of the first incident. That led to the discovery of the others.

In five incidents since April 21, hackers accessed about 367,000 files containing personal information on students, alumni, staff members and others.

The information included 173,000 Social Security numbers, the key component to identity theft, and detailed medical information on about 60,000 students and others.

Citing security concerns, OU has refused to release public records sought by The Dispatch that might shed light on whether university officials were warned about potential security risks.

The fallout from the breaches has included consulting, computer and mailing costs approaching $1 million, embarrassing headlines and ill will from normally loyal alumni and students.

Even National Public Radio commentator and OU alumnus Brian Unger couldn't resist a sarcastic jab when addressing students at commencement last weekend.

Unger said he was there only "to make sure my Social Security number is safe." Most students laughed. But beyond the joke, many are not happy.

University President Roderick McDavis said he thinks backlash against the school is limited.

"We think that most of our alumni ... have not acquired a great deal of anger toward us," he said. "I think people are having a better understanding of what hackers are doing around our country."

But Steven Alter, an OU alumnus who works in the anti-fraud section of Microsoft, wrote in a May 3 e-mail to OU officials that he was "appalled."

"I'm trying to fathom a situation in which such a serious breach of Social Security numbers could occur and not be discovered for 13 months.

"How could this happen without utter, rank incompetence and a carefree attitude toward data security? ... Shame on you ... I hope your (information technology) staff was fired."

No one has been fired at OU.

Three employees were placed on paid administrative leave to ensure they did not compromise the independence of the security audit of computer systems. They are not accused of wrongdoing and are expected to be back on the job soon.

McDavis said he expects to find out soon whether anyone inside the university was partly to blame for the security breaches.

A report from an independent consultant hired after discovery of the breaches is expected by Wednesday, and that should provide the answers officials are looking for before placing blame, said Bill Sams, the university's associate provost for information technology.



"I understand the criticism," he said. "But discussions of firing at this time would be premature."

He said he will present the consultants' findings to trustees at their meeting Thursday and Friday.


Pacifying patrons

While not "discounting their anger or frustration," Molly Tampke, interim OU vice president for university advancement, foresees no lasting impact on fundraising from alumni.

"I have a great deal of faith in the loyalty of our alumni," she said.

"Certainly, it is not a situation we would have chosen. But I think when people make gifts to the university, they look at the university as a whole ... they just don't look at one thing."

R. Gregory Browning, chairman of the OU Board of Trustees, is confident the university is undertaking "a full-court press to understand the problem and put together the right set of solutions."

"It certainly is a major concern -- it needs to be and should be. We're not going to sugarcoat problems."

Browning, a Columbus consultant and former state budget director, also envisions no longterm effect on enrollment or donations.

While it may be among the leaders in the U.S. in terms of the amount of information lifted by hackers from institutions of higher education, OU has plenty of company.

Colleges and universities have been responsible for about one-half of the major data thefts since early last year, according to the Privacy Rights Clearinghouse.

Higher education is a juicy target because it compiles so much personal information in so many places, said Fred Cate, law professor and director of the Center for Applied Cybersecurity Research at Indiana University.

"Colleges have health information, financial information, grades, family information, tax returns and much more," he said. "So we have a lot of trouble securing our data."

OU officials say they know of no confirmed cases of identity theft stemming from the breaches, although 24 are under investigation. But those vulnerable to fraud and identity theft are not pleased with university responses to their inquiries.

OU declines requests to pay for credit-monitoring services and, when asked if the university will cover losses stemming from fraud, officials say they will do so only if it can be proved that OU was to blame.

It's not a response that endears OU to some of its 183,000 alumni and 28,000 students.

After Brittany Waltz, a Cleveland-area senior, received an e-mail about the breach, she called her parents for advice. They told her to go online and sign up for credit-fraud protection.

"But that would cost me $120," she said. "Why should I have to pay for the university's dumbness? That's the only part of all of this that upsets me. I don't think it could have been avoided, but they should step up and take more steps more quickly to fix it and help us."

Sams, however, said Waltz and others like her can get basic monitoring for free if they have established credit. The extra watch services come with a price.

While Waltz had a little complaining to do, others on campus seem less concerned. Last week, the degrees had been handed out and people were packing their bags for home. Identity theft and fraud seemed as foreign to some students in Athens as Halloween without a party.

"From my perspective, it's just kind of out there," said Kelly Tenzek, a 22-year-old graduate from Hanoverton, in Columbiana County, who received her communication studies degree a week ago. "It's a black mark against the university, but I've been monitoring my credit and doing what I can to protect myself, so it really doesn't affect me."

The costs of prevention

The cost of the security audit and computer upgrades is approaching $1 million.

OU has spent about $700,000 on consultants and computer hardware and software, with most peripheral systems still to be examined.

The university also has spent more than $77,000 on state-required mailings to those whose personal information was hacked.

Sams said that since the first breach was discovered, as many as 30 university personnel and eight consultants have worked virtually around the clock to make sure data is secure. Information-technology personnel have collectively worked 1,000 hours of overtime since April 21.

He said he is "fairly confident" that no OU computer systems currently are being breached by hackers.

"We've been picking up every rock we can find" in the search for current and historical access by hackers, Sams said.

The university's security audit of its central computer systems has been completed. That audit led to the discovery of the two data thefts announced June 9. Firewalls and scanning software have been added to the main computer servers, and the operation of the 226-person information technology department, with an annual budget of about $20 million, is being evaluated, Sams said.

Now, OU will begin to examine its peripheral system of about 1,000 servers, which contain less-vital data but account for nearly 90 percent of the computers at the Athens campus, he said.

What needs to happen, he said, is to work with each of the 2,000 or so faculty members to find out how they've kept individual data and teach them how to make it secure.

It will be a very long process, Sams said.

"We should protect people and their data and their privacy, and we didn't do that," Sams said. "So we must repair that and create a culture of realizing what we have and what it means.

"At the same time, however, there must be some acknowledgement that the world is on a treadmill of increasing sophistication by hackers and we must catch up."

Information on the OU data thefts and identity and fraud protection is available at www.ohio.edu/datatheft. Dispatch correspondent Jim Phillips contributed to this story. rludlow@dispatch.com hzachariah@dispatch.com

[ Back To TMCnet.com's Homepage ]