[ISN] OU has been getting an earful about huge data theft

InfoSec News isn at c4i.org
Tue Jun 13 08:07:07 EDT 2006


By Jim Phillips 
Athens NEWS Senior Writer 

Ohio University has spent more than $77,000 sending letters to alumni
and students affected by a computer security breach.

It's harder to put a price tag on the blow to alumni goodwill, as the
number of people affected by hacking of OU computer databases
continues to rise with the discovery of new hacking incidents.

"This is damaging OU's reputation far more than its drunk football
coach, magazine pictorials or its #2 party-school ranking, and you can
tell (OU President Roderick) McDavis that this really sucks. A lot!"  
wrote one incensed alum May 10.

Another signed off his May 3 e-mail with, "You incompetent f---ing
a--holes. I will never donate a penny to you."

After announcing two computer security breaches in May, OU got
hundreds of e-mails from alums regarding the issue. The Athens NEWS
has examined more than 600 of them, provided by the university in
response to a records request.

The great majority were simply requests for information, trying to
learn whether the sender's personal data were accessed by the hackers,
and to get more detailed guidance on what to do if they were.

A number of writers, however, expressed anger, frustration and in some
cases, a distinct reluctance to donate any more money to OU.

"It was my intention to leave a sizable endowment to OU, but not any
longer," announced one.

"My husband has graciously given to the university's alumni
association many times; we will now think twice before we do it
again," warned another.

Other comments along these lines include:

"I am disgusted with you and will NEVER do anything to help you
financially." "I will definitely be reflecting on this incident the
next time I receive an appeal for a donation to OU." "I have donated
to the university for many years, but this shortcoming, and other
matters having to do with the university, make me hesitant to make
further contributions."

Some alums questioned why OU keeps Social Security numbers on
long-gone graduates, including those who haven't been donors. Some
asked to have their data removed from OU computers - a request the
university promptly grants.

Dozens wanted to know if OU will cover the expenses they rack up in
taking precautions against identity theft, or financial losses if
they're the victim of such thefts.

A handful talked about lawsuits, and one alum simply sent OU a bill.

Molly Tampke, interim vice president for university advancement,
admitted last week that she can't gauge how the alumni perception of
the computer data breaches will affect giving to OU.

Tampke acknowledged that the incidents seem to have undermined alumni
confidence in some cases, but she continued to hold out hope that
alums will look past the problems when it comes time to open their

"It does concern me that alumni would feel like they couldn't trust
us," Tampke said. "In terms of long-term effects for financial
support, I don't think we know. But I think ultimately people believe
in us, and want to support Ohio University... I don't want to look
cavalier by any means, but I believe in the loyalty of our alums."

THE PICTURE JUST GOT darker, however. While investigating the previous
cases in which hackers gained access to personal data - including
Social Security numbers - on close to 200,000 students and alums, OU
recently found two more such incidents. These affect the personal data
of about 2,480 university subcontractors and an additional 4,900
current and former students.

According to a story in the Columbus Dispatch Saturday, the latest
hackings put OU at the top of universities nationally for the amount
of computer data stolen, well ahead of the next school on the list,
the University of Southern California.

More than one alum correspondent has questioned the competency of
those watching over OU's data cache, and one question in particular
keeps coming up in the e-mails sent by alums: Why did you have my
Social Security number on file, anyway?

"I'm trying to fathom a situation in which a serious breach of Social
Security numbers could occur and not be discovered for 13 months,"  
wrote one alum who works in fraud and compliance for Microsoft. "How
could this possibly happen without utter rank incompetence and a
carefree attitude toward data security?... I hope your IT staff was

Another writer noted that "the trend across the country is to de-link
Social Security numbers from other important identifying information"  
in computer databases.

Tampke said the reason for holding the numbers is "primarily to track
lost alumni." When an alum moves and doesn't leave a forwarding
address, she said, OU will give the person's Social Security number to
a tracking service, to find the new residence.

Given the risk of data theft, is this convenience worth it?

"That's a good question," Tampke said, adding that the issue is
"something that we want to sit down and have a very structured
conversation about," once the university has the fallout from the
hacking cases under control.

A recent internal memo on OU's damage-control efforts estimates that
the university has spent approximately $77,090 on printing and mailing
almost 244,000 letters to alums and donors affected by the security

OU has sent out close to 126,000 e-mails in connection with the
incidents as well, the memo shows. Tampke said these numbers should be
pretty much up to date, and that the volume of correspondence over the
case has ebbed considerably.

"It's tapered off a lot," she said. "We're not getting nearly so many
e-mails. I got maybe three letters this week."

Some of the e-mails received by OU, however, suggest that the story is
far from over.

Dozens of writers have hinted - or come right out and said - that OU
should pick up the tab for any credit-monitoring services affected
alums have to pay for, or any losses they suffer through identity
theft. A smaller number have implied, with varying degrees of
specificity, that they may take the matter to court.

"If there is any financial damage or compromise to my other accounts
stemming from this breach of security, I will hold Ohio University at
fault and seek legal counsel to recover any and all loss, with
punitive damages," one alum threatened. "I will further network with
my other alumni to seek a class-action suit for the same."

OU has responded to questions about money liability with a standard
statement, which says that before OU would cover any losses related to
identity theft, it "would need some sort of definitive evidence that
an individual had experienced financial liability not otherwise
remedied by the laws that protect victims of identity theft and that
such harm had occurred as a direct result of this particular database
system compromise rather than a similar compromise of some other
organization's system in which the individual might also have a

Some alums have called this a dodge. "As far as proving that identity
theft was a direct result of your system 'compromise,' you know as
well as anyone that you cannot prove that it was the only place that
information could have been received," one writer complained.

Barb Nalazek, OU's assistant legal affairs director, said that while
it may seem unfair to require an alum to prove that an identity theft
stemmed from OU's computer breach and not some other hacking incident,
in today's world of widespread data theft, this is only realistic.

"We're seeing breaches all the time," she said. "I don't want to sound
like I'm making excuses, but you really have to say, 'Do you really
know that no other company that has all that information on you didn't
breach that?'... It sounds like an excuse, but it's true."

On the expense issue, Nalazek noted that there are a few companies
that will provide one free 90-day credit watch per year.

By using all of these companies, she said, a person can keep an
ongoing watch on his or her credit record, "and it doesn't cost
anything... For what is an appropriate sort of due diligence, it
really is something we all should be doing, and there doesn't have to
be any financial cost."

As for losses incurred through identity theft, Nalazek pointed out
that the law already limits a person's individual financial liability
in the case of, say, misuse of a credit card.

"As long as you're monitoring your credit-card statements, your
liability is extremely limited," she said.

No one, apparently, has yet sued OU over the security breach, but the
e-mails contain a handful of veiled threats, not-so-veiled threats,
and queries on this issue.

"Is there already a class-action lawsuit against Ohio University at
this time?" asked one alum.

"Like many of my classmates, I'm also investigating Ohio University's
potential criminal and civil liability," noted another.

"If there is a lawsuit, believe me I will happily join it," announced
a third.

Nalazek confirmed that the idea of a class-action suit has apparently
crossed the mind of more than one OU alum, but said she knows of no
organized effort to file one.

"It's certainly not that we haven't heard those two words bandied
about by people contacting us," she acknowledged. "But as far as that
happening, there's nothing that we know of."

One resourceful alum dispensed with hints, threats and allegations,
and simply billed OU for the time she spent checking her credit
status. Calling the university "fully liable" for her outlay of time,
she e-mailed an invoice for three hours of work at her "usual billing
rate" of $165 an hour.

In its latest response, OU Legal Affairs Director John Burns has
contacted the firm the woman works for, asking for confirmation of her
hourly rate.

"(The alum's) hourly compensation claim is unique so far, and I am not
sure what Ohio University's decision will be," Burns states in a June
1 e-mail.

Not everyone who expressed an e-mail opinion about the data breach was
outraged. Some were understanding, a few sympathetic. One was nearly

"Please stop giving my information to identity thieves," the alum
asked politely. "Thank you for your consideration." In a postcript he
added, "I would give you the rest of my contact information, but I am
afraid it would be stolen."

More information about the ISN mailing list