On April 24, IT officials at the university noticed that someone had hacked into an alumni database server containing personal and biographical information for more than 300,000 individuals and organizations, said Bill Sams, the university's CIO. Faculty and staff members hired by the school before January 2004 were also affected.
The compromised files did not include credit card or bank information, but they did include Social Security numbers for 137,800 individuals, Sams said.
The breach was discovered after IT officials noticed the affected server was being used to launch a denial of service attack against an external target, Sams said.
"We immediately took it offline and got into the logs. We discovered that it had been compromised as far back as 2005," he said. In the 13 months since the server was breached, "we have found that people have accessed it from both domestic and international IP addresses," he said.
The compromised server was supposed to have been decommissioned more than a year ago and IT officials assumed the system had been taken offline, Sams said. As a result, it had not received any security updates and patches for over a year. He did not disclose how the server was breached, or what operating system was running on it.
The second data compromise involved a server at the Technology Transfer Department, which is part of the University's Innovation Center. FBI officials told the university about that breach on April 21. The server, which contained patent data and intellectual property files, was apparently involved in another incident that the FBI was investigating, Sams said, without providing any further details. The university had no idea that the server had been broken into until the FBI pointed it out, he said.
The FBI is currently investigating both incidents, he said.
Ohio University today started sending out e-mails to those affected by the hack into the alumni database server. "We are sending them at the rate of 10,000 an hour," Sams said. He added that the University has also set up a Web site providing details about the incident and instructing affected individuals on the steps they can take to mitigate the risk of ID theft.