Story of the breachThe story is not just about one single breach, but a group of security incidents discovered by Ohio University within weeks of each other.
- The first breach was discovered on April 21st when the FBI notified the university that a computer in the Technology Transfer Department had been compromised. The FBI had been investigating another unrelated crime when they discovered the compromised computer. The university discovered that the Technology Transfer server contained personal information on 35 individuals.
- The second breach was discovered on April 24th when the IT staff noticed that an Alumni database server was being used to launch a Denial of Service attack against an external target. This alumni server contained the personal information on 300,000 individuals and organizations including over 137,000 SSNs. When investigating this incident, the university discovered that alumni server had been compromised as far back as 2005 and had been accessed by domestic and international IP addresses. This server should have been removed more then a year before the breach was discovered and it was assumed by the IT department that it had been. This means the server had not received any updates or patches for more then a year.
- The third breach was discovered on May 4th when the university noticed that someone gained unauthorized access to server housing information used by the university’s Hudson Health Center. The compromised server contained personal information on 60,000 individuals.
- The fourth and fifth breaches were discovered on May 23rd when a forensic scan detected that a server housing IRS 1099 forms for vendors and contractors and a server used for online business transactions containing personal and credit card information had been compromised.
In the end, 5 servers were found to be affected. All told, 367,000 personal files containing 173,000 SSNs were compromised. Emergency repair and notifications cost the university over $800,000.
The university fired 2 IT administrators and the CIO resigned.
What was the responseOhio University’s response this series of breaches has been, for the most part, outstanding. As one would expect, all of the affected servers were immediately taken offline and investigations launched. However, there is much more to the university’s response then simple rote take down and investigate.
- The university spent a large amount of time and money notifying those affected. The university utilized web pages, e-mail and postal mail to alert over 300,000 individuals about the different breaches. The result, the university received over 8,000 calls to the information hotline, 800 e-mails and letters of complaint and over 35,000 hits to the web site about the breaches.
- The university spent nearly $100,000 on breach notifications
- The university formed an IT-oversight committee
- The university hired consultant firms to perform full risk assessments
- The findings were that the IT office was significantly understaffed and the outsourcing the university had was doing was not a good option for the future.
- From these findings that committee put together a 20-point action plan titled “Blueprint for Building a World-Class IT Function at Ohio University”
- Within three weeks of the breaches the university had spent $750,000 on emergency response fixes and will likely need an additional 7-10 million based on the consultants report.
- Ohio University has continued to talk about this breach openly and honestly.
- OU President Roderick McDavis wrote an essay for the Chronicle of Higher Education titled “What Ohio U. Learned From a Major IT Crisis”. In this eassy McDavis is candid and open about the breaches and states that the Ohio University community did not take IT seriously enough. As for one of the key lessons learned by Ohio University, McDavis states that continuity is key and that it is important to openly share positive and negative information.
- These are more then just words in an essay. Ohio University has taken the opportunity to speak publicly about these breaches including a seminar at the 2008 educause security professionals conference.
What went wrong- There were several issues at work causing these breaches, but all of them come down to McDavis’ statement that the university did not take IT seriously.
- In 2004, Stephen Kopp then the provost wrote to the Chronicle of Higher education that the computer services had grown through “spontaneous mushrooming of IT people on campus”. A report from a consultant confrimed this view describing the IT departments on campus as an “adhocarcy” characterized by poor communications and genderal mistrust among administrators, duplicated tasks and resources, and a lock of a unified strategic decision making.
- Thomas Reid director of communication-network services who was fired from the university after these breaches said he had tried repeatedly to warn supervisors about the security risks since 1998. According to Mr. Reid much of the blame can be tied to a significant reduction in IT budget, 1 million in 2 years and lack of clear IT management. Mr Reid had 13 bosses in 22 years.
- In the end, this same exact environment can be found at many educational institutions. Ohio University was not unique in these issues.
Links for more informationOU news release about the breacheshttp://www.ohio.edu/outlook/05-06/May/485n-056.cfmAn excellent breakdown of the incident (Subscription required) Wasley, Paula. “More Holes Than a Pound of Swiss Cheese” The Chronicle of Higher Education <
http://chronicle.com/weekly/v53/i06/06a03901.htm>
Articles about the breachesSandoval, Greg “University server in hackers’ hands for a year” CNet News.com <
http://ecoustics-cnet.com.com/University+server+in+hackers+hands+for+a+year/2100-7349_3-6074739.html>
Vijayan, Jalkumar “Ohio University reports two separate security breaches” Computerworld <
http://www.computerworld.com/databasetopics/data/story/0,10801,111113,00.html>
OU President McDavis’ essay about the breaches (Subscription Required)McDavis, Roderick J. “What Ohio U. Learned From a Major IT Crisis” The Chronicle of Higher Education <
http://chronicle.com/weekly/v54/i30/30b00501.htm>
A good wright-up of President McDavis’ essayHeck, Richard “McDavis writes of computer breach in national publication” The Athens Messenger <
http://www.athensmessenger.com/main.asp?SectionID=1&SubSectionID=273&ArticleID=9592&TM=42628.33>
Ohio University data theft web sitehttp://www.ohio.edu/datatheft/index.cfm
Print this post
|
Permalink |
Comments 
