The changes at OU are being implemented after a review of an independent report commissioned to assess the university's IT security practices.

The first breach involved a server containing patent data and intellectual property files at the university's Innovation Center. That breach was discovered when the FBI told the university it had been provided with disk drives from the server.

A few days later, IT officials noticed that a server supporting alumni relations and development had been compromised and was being used to launch distributed denial-of-service attacks against an external target. That breach -- which had remained undiscovered for over a year -- prompted the university to notify about 137,000 alumni of the potential compromise of their Social Security numbers and other personal data.

Then, on May 4, the university discovered that a system belonging to its Hudson Health Center had been broken into, potentially exposing Social Security numbers, dates of birth, patient IDs and clinical information on nearly 60,000 current and past students and faculty.

The discovery of the three breaks-in prompted the school's IT organization to bring in outside experts to conduct a sweeping review of systems housed in the university's Computer Services Center (CSC). That review led to the discovery of two more breaches: One involved a computer that contained IRS 1099 forms for nearly 2,500 vendors and contractors who had done work for the university in 2004 and 2005; the other involved a computer that hosted a variety of Web-based forms, including some that processed online business transactions.