In a note posted on its Web site yesterday, the university said that it had also brought in two consultants to augment its IT management team and created a new position of chief of staff to the CIO.

"I am angry and embarrassed by the computer security system lapses that were undetected before my time as leader of the university," Ohio University President Roderick J. McDavis said in the statement.

McDavis also said he has asked the university's board of trustees for a US$2 million investment in infomation security. "While we cannot correct mistakes of the past, I am determined that the university will learn from these oversights and make the appropriate changes," he said.

Such measures are better than none at all, said Pete Lindstrom, an analyst at Spire Security LLC in Malvern. Pa. "But wouldn't it have been nice if they had gotten religion before all this happened?" he said. "In today's college and university environment, you don't have to count the breaches to know you are probably next."

The school should have paid the same level of attention to information security before the breaches occurred, not after, Lindstrom said. "The frustrating thing about security is that folks are awful at preparing for future uncertainties but are good at addressing past improprieties," he said.