Skip to Content

Information Security Office

Network is experiencing difficulties.

Hacked: Data breach costly for Ohio State, victims of compromised info Breach affects 760,000 people, expected to cost university $4 million

Ohio State revealed a data breach Wednesday that has jeopardized the identities of 760,000 people and could cost the university $4 million.

The university notified current and former faculty, students, applicants and others affiliated with the university that hackers had accessed the server that stored their names, Social Security numbers, dates of birth and addresses.

"We regret that this has occurred and are exercising an abundance of caution in choosing to notify those affected," said OSU Provost Joseph A. Alutto in a press release Wednesday.

Though the university said there's no evidence data were stolen, computer privacy experts cautioned that the breach could result in identity theft of the individuals whose information is stored on the server.

"Unless proven otherwise, when information like that becomes exposed, there always is a potential for identity theft," said Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse, a San Diego-based nonprofit consumer advocacy group.

The university is offering 12 months of free credit protection to everyone whose information was on the server through Experian, Equifax and TransUnion.

The breach will cost the university $4 million in expenses related to investigative consulting, notification of the breach, credit security and a calling center for anyone with questions or concerns.

OSU officials said every current and former student, faculty and staff member was sent an e-mail Wednesday informing them of the data breach and precautions the university is taking in its aftermath.

OSU spokesman Jim Lynch said the time delay between the discovery of the breach in October and notification of it Wednesday was necessary to research and prepare for solutions to the problem.

"The last thing we want to do is announce something and not have support systems set up," Lynch said. "It wouldn't have been wise to put it out any sooner."

In that time, the university hired two computer security consulting firms, Interhack Corp., based in Columbus, and Stroz Friedberg LLC, based in New York. These firms determined in November that there was no evidence indicating that hackers took information out of the server.

The university cannot disclose how hackers accessed the server for security reasons and because the incident is still under investigation.

Stephens said that improved security could have prevented the situation. OSU is seeking to strengthen its IT systems with the help of Interhack and Stroz Friedberg.

They are "looking to analyze how we can enhance our security," Lynch said.

The university is unable to determine who hacked the system, but OSU Police are investigating the incident.

There have been 68 breaches of educational institutions in 2010, according to Privacy Rights Clearinghouse. The OSU breach affected the most records, with the next highest being the possible unauthorized access to 232,000 records at Houston Independent School District in Houston on Oct. 27.

OSU has had several data breaches in the past.

The Lantern reported on April 18, 2007, that 14,000 people were notified as a result of criminal intrusion into a database in the university's Office of Research. In February of that year, two laptops containing an additional 3,500 chemistry students' information were stolen.

The university notified 18,000 current and former students on Dec. 31, 2008, that their personal information was stored on a server that was exposed on the Internet.

On June 6, 2009, 350 OSU Dining Services student employees had their Social Security numbers leaked in an e-mail.

This is more than the average number of data breaches for an institution, Stephens said, adding that the recent breach of 760,000 records is considered very large.

"I guess in the age when we have WikiLeaks and whatnot, it shouldn't be too surprising," said Jeanette Pavlik, a fourth-year in communication.

Pavlik said she was surprised, however, that the university didn't have greater security in place.

Interhack declined to comment, and Stroz Friedberg did not immediately return phone calls.

The university is directing those with more questions about protecting their credit to www.osu.edu/creditsafety.

Dylan Tussel contributed to this story.