Ohio University CIO warns more breaches may be found

University IT environments have gained considerable notoriety over the years for their relative lack of security. Recent incidents at Ohio University in Athens show just why.

Barely 10 days after disclosing two separate security breaches involving its computers, the university announced yet another incident in which sensitive data on one of its systems was illegally accessed by an unknown hacker. And there may be even more such disclosures to come as the university's IT department continues a sweeping security review of its networks and systems, warned CIO Bill Sams.

The latest incident involved a server supporting the university's Hudson Health Center. On May 4, the school's IT staff discovered that the system, which holds records of about 60,000 current and former students as well as some faculty and staff, had been infected with a virus.

Further investigation of the server showed that someone had hacked into the system and potentially accessed the data, Sams said. The compromised system contained data from the student health service, including information such as birth dates, Social Security numbers and clinical information. The system also contained data on individuals receiving counseling and psychological services, but in this case the data was restricted to Social Security numbers, dates of birth and dates of service.

Sams did not elaborate on how the hack occurred or whether it was perpetrated by an insider or an external attacker.

"The software vendor we are using felt the files were well protected" and didn't need any encryption, Sams said. The university's own IT staff had felt there was a "theoretical possibility" that unencrypted information on the system could be illegally accessed but decided to go with the vendor's recommendation and did not encrypt the data, he said.