UPDATE
Ohio State University warned those who have had contact with the University that a server containing personally identifiable data was illegally accessed by a third party and may have exposed data on 760,000 people.
The university is
notifying past and present students, faculty, staff, and student applicants as well as certain contractors and consultants affiliated with the University of the breach, which was discovered when staff noticed suspicious activity on a server belonging to the office of the university’s CIO in
late October, according to Jim Lynch, Director of Media Relations at Ohio State University. Lynch went on to say that the attack may have been going on for a few months by the time they discovered the suspicious activity in the server.
University officials maintain that the attackers accessed the
server in order to launch cyber attacks on other businesses, whose names they were unable to disclose as they are involved in an ongoing investigation, and that investigators found no
evidence to support concerns that the theft of sensitive information stored on it, which includes names, birthdates, addresses, and social security numbers, may have
occurred.
Following the lead of other data breach victims, Ohio State is offering a year’s worth of
credit protection services, which according to Lynch, will cost the university approximately $4 million.
In a statement released on Wednesday, University provost, Joseph A. Alluto expressed regret over the incident and said Ohio State is working with security consultants to understand the scope of the attack and strengthen the University’s protections. Lynch identified those firms as Stroz Friedberg and Interhack. The statement goes on to say that they regret that this has occurred and are exercising an
abundance of caution in choosing to notify those affected. They are also working
with a nationally recognized data security firm to further strengthen all of
their systems.
This isn’t the first high profile data breach at Ohio State. The University notified 14,000 current and former faculty and staff members after a criminal breach of a database in the University’s Office of Research in 2007. In 2009, a file containing the personal information of 18,000 Ohio State students who had been enrolled in the university sponsored health insurance plan during the 2005-06 academic year was accidentally published online by an employee of a third party supplier.
