Ohio University coping with information breaches

The long view of security strategies for your network.

In May, Ohio University (OU) announced that a security violation was discovered in which “The computer system contained biographical information for more than 300,000 individuals and organizations, including the Social Security numbers of more than 137,000 individuals” was penetrated by unknown persons. A later report indicated that another breach exposed the Social Security numbers and also health records of “60,000 people including all current students as well as some school faculty.”

Adam Dodge, a graduate student in Norwich University’s MSIA program, recently sent me a summary of the consequences of these breaches and others at the unfortunate school. As usual, I have edited the contributor’s original material for publication in this newsletter.

* * *

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In May, Ohio University (OU) announced that a security violation was discovered in which “The computer system contained biographical information for more than 300,000 individuals and organizations, including the Social Security numbers of more than 137,000 individuals” was penetrated by unknown persons. A later report indicated that another breach exposed the Social Security numbers and also health records of “60,000 people including all current students as well as some school faculty.”

Adam Dodge, a graduate student in Norwich University’s MSIA program, recently sent me a summary of the consequences of these breaches and others at the unfortunate school. As usual, I have edited the contributor’s original material for publication in this newsletter.

* * *

It seems that OU has begun to receive heated backlash from alumni regarding the recent information breaches suffered by the university. A June 12 article in the _Athens News_ by Jim Phillips reviews alumni reactions. Reactions include disgust (some of it expressed in vulgar language) at the loss of reputation for OU; promises to stop any future donations; possible class action lawsuits; and a proposal from one alumna to bill OU for the time she has spent checking her credit reports.

These reactions raise interesting questions. What are the legal liabilities and responsibilities of an organization that exposes personal information to criminal hackers? Like many other organizations, OU has set up a hotline and several University Web sites with detailed instructions on steps individuals should take if their information was exposed, how to protect your Social Security number, and steps to take if you have been a victim of identity theft.

However, the help offered by OU on these Web pages is informational only. OU offers individuals exposed to possible identity theft no monetary assistance in maintaining a watchful eye on their credit reports. Nor does OU offer any personal assistance in dealing with the consequences of identity theft. Instead, OU recommends that individuals use free yearly credit reports and place an extended alert on their credit report, but only if they have already become victims.

These recommendations may be inadequate. Yearly credit reports are too far apart to catch and mitigate identity theft. OU recommends ordering free reports from each of the three major reporting companies at intervals throughout the year; however, even four months between reports offers identity thieves time to ruin their victims financially and cause immense damage to their credit ratings.

Another response is to place an extended alert on one’s credit report, but that lasts only seven years. Personal information such as the Social Security number can last forever unless one goes through the difficult process of getting a new one. How much good is seven years of protection for a 23-year-old college alumnus who could live for another 70 years?

* * *

Readers should consider their own organization’s use of Social Security numbers, posting of unencrypted data on Web servers, and plans for responding to a breach of confidentiality involving stakeholder data. Adam and I think it is especially important to consult corporate counsel in planning such policies and responses. OU’s documents can provide a start, but we all have a lot to do to cope with these issues in ways that are appropriate for our own situations.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.