Ohio University Completes Security Audits of Computer Systems

Published: July 5, 2006

ATHENS, Ohio – An external audit of Ohio University’s (OU) computer and network services division has been completed and sharply criticizes the department for making computer security a low priority.

According to the audit, which was conducted by Illinois-based Moran Technology Consulting, instead of investing some of the school’s $1.4 million average yearly surplus on firewalls and other security measures, OU provided generous employee perks, such as health-club memberships.

Auditors also found that the school’s computer and network services division did not have enough staff or resources. Additionally, OU’s staff did not have the necessary skills to appropriately protect the school’s computer networks. Those workers who did recognize there were problems failed to ‘firmly and loudly’ acknowledge the issues.

The audit was conducted in response to five computer security breaches that resulted in the personal information, including Social Security numbers, of approximately 173,000 individuals being exposed. Because of the breaches, two OU graduates have sued the university, saying their right to privacy has been violated. They are seeking class action status.

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

OU officials have acknowledged the security faults and pledged to make improvements. The school posted the following release regarding the security breach and audit:

Ohio University is responding vigorously to improve the integrity of its computer network system and increase its level of security. A number of measures have been taken over the last several weeks, including a thorough security audit of the university’s central computer systems.

As part of the completed audit, investigators identified two computers containing pre-existing security holes. The university has closed those breaches and is notifying all individuals who were affected.

The first of these breaches was discovered on a computer that housed IRS 1099 forms for 2,480 vendors and independent contractors for calendar years 2004 and 2005.

The second breach was discovered on a computer that hosted a variety of Web-based forms, including some that processed on-line business transactions. Although this computer was not set up to store personal information, investigators did discover files that contained fragments of personal information, including Social Security numbers. The data is fragmentary and it is not certain if the compromised information can be traced to individuals. Also found on the computer were 12 credit card numbers that were used for event registration.

There is no evidence that any of the information has been misused.

Ohio University has an ongoing commitment to strengthen security of its computer systems. The university continues to work closely with the Federal Bureau of Investigation and take steps to strengthen its systems.

The university has established a Web site at www.ohio.edu/datasecurity/ and hotline, 800-901-2303 or (local calls) 740-566-7448 to provide information to those individuals who have been affected by these problems.

Posted in: News

Tagged with:

Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series