Search The Site

Opinion & Forums
The Chronicle Review Commentary Forums Live Discussions

Careers
News & Advice My Career homepage Search jobs by position type by discipline/field by state/region by institution Tools & Resources Employer Profiles

Multimedia

Resource Center

Services
Help Contact us About The Chronicle Subscribe Day pass Manage your account Advertise with us Rights & permissions Employment opportunities





Wednesday, April 9, 2008

University Computer Breach Risks Data of Students Who Never Went There

By CATHERINE RAMPELL

Article tools

Printer friendly	E-mail article	Subscribe	Order reprints

	Discuss any Chronicle article in our forums
Latest Headlines Higher-Education Price Index Rises 3.6 Percent The measure of colleges' inflation costs grew only slightly more than last year, but it doesn't include recent jumps in some expenses, like utilities. Higher-Ed Bill Slowed by Two Disputes Campus Planners Discuss How to Attain Sustainability Ruling Says Colorado Board Discriminated Against University Universities in Beijing Tighten Security for Olympics U.S. Universities Negotiate Tricky Terrain in the Middle East Newly Found Chameleon Lives Fast, Dies Young Commentary Richard H. Hersh and Richard P. Keeling: On a 'Liberal Education'

A computer server at Antioch University containing more than a decade of sensitive information on 60,000 people, some entirely unconnected with the university, was breached three times last year.

The server contained data going back to 1996 on current and former students and employees, as well as on students who had been scouted by the university but never attended or even applied. The data contained ample material for identity theft—Social Security numbers, names, academic records, and payroll records—but university officials said they do not know of any theft connected to the breaches.

University officials noticed something wrong on February 13, 2008, when users who logged into the server received a "mildly profane" message sent by a virus, according to William H. Marshall, the university's interim chief information officer. The server was taken offline, and an outside company's forensic investigation of the server found that "an unauthorized intruder" breached the system on June 9, 2007, June 10, 2007, and October 11, 2007. Mr. Marshall declined to say if he knew if the breach came from an internal or external hacker, citing a continuing law-enforcement investigation.

The university, which has six campuses in four states, began sending out letters about two weeks ago notifying people whose information was compromised and giving them a toll-free number to call for more information. The institution has received about five or six calls a day since then. "The most common calls are from people wondering why Antioch would have had their information on the system in first place, probably rightfully so," said Mr. Marshall.

The university has used outside companies to identify prospective students. "I think it is fairly common for universities, particularly in the last few years, to be more proactive in identifying and tracking students they're interested in," said J. Brice Bible, chief information officer at Ohio University, which endured high-profile security breaches several years ago. Antioch University officials "have obviously acquired information to be competitive, which had made it more challenging for them to maintain a secure environment," he said.

Privacy advocates said there was no excuse for colleges to fail that challenge. "We have a very simple recommendation for universities," says Marc Rotenberg, executive director of the Electronic Privacy Information Center. "If they can't protect it, they shouldn't collect it."

Home | Chronicle Careers | The Chronicle Review