Ohio State alerts 18,000 of breach involving vendor
Technorati Tag: Security Breach
Date Reported:
12/31/08
Organization:
The Ohio State University ("OSU")
Contractor/Consultant/Branch:
Streamline Print Services Inc.
Location:
Columbus, Ohio*
*Columbus, Ohio is the location of The Ohio State University, however this was an online incident, so the physical location of the breach is not clear
Victims:
"persons who were enrolled during the 2005-2006 academic year in the Student Health Insurance Plan offered by The Ohio State University"
Number Affected:
"Approximately 18,000"
Types of Data:
"name, address, group policy number, and OSU ID number (which, at that time, had the same digits as the student’s Social Security Number)"
Breach Description:
"Ohio State University has notified 18,000 current and former students that their names and Social Security numbers were mistakenly stored on a computer server exposed to the Internet."
Reference URL:
The Ohio State University Identity Alert
The Columbus Dispatch
The Columbus Dispatch (follow-up)
Chillicothe Gazette
Report Credit:
The Ohio State University
Response:
From the online sources cited above:
Ohio State University has notified 18,000 current and former students that their names and Social Security numbers might have made it to cyberspace.
A vendor doing work for Ohio State's student health insurance plan mistakenly stored the names on a computer server open to the Internet.
[Evan] This is a good example to use in justifying the extension of an organization's information security domain to include vendors, consultants, partners, and other third-parties granted access to sensitive information. Required third-party information security controls should be listed in contracts and compliance tested through regular assessments an audits.
Only students enrolled in the school's insurance program from fall 2005 through summer 2006 were affected.
Ohio State officials said students' personal information has been deleted from Internet search engines and they haven't heard of any identity thefts related to the incident.
"After thoroughly investigating this matter, we believe that it is highly unlikely that anyone has accessed this information in a fraudulent way," said Charles Morrow-Jones, director of information technology security.
[Evan] How can you come to the conclusion "that it is highly unlikely that anyone has accessed this information in a fraudulent way" when the information has been outside of your control for 3+ months on a public network?
OSU officials became concerned when a student found some of his personal data on the Internet in September.
The university took steps to have the file removed and notified about 600 people who were on that file.
It wasn't until four more students told Ohio State that they had found their information online in December that school officials realized they were dealing with a larger problem.
[Evan] Was the first investigation flawed by not being thorough enough to identify the root cause?
The problem arose when Streamline Print Services Inc. of Ohio placed the files on a server that was scanned and cached by Internet search engines.
The information was provided to a contractor to print student health ID cards and was never intended to be placed on an Internet-accessible server, officials said.
An employee working for the company hired to print your OSU Insurance ID card failed to clear the information from his computer.
The employee has been using the same computer as a web server, which enabled files to be accessed.
[Evan] Does this mean that an employee of the vendor used the same computer used for collecting sensitive customer information as a web server? Obviously (maybe not so obviously) not a good information security practice without better precautions.
Officials said Streamline Print Services is no longer in business, the server that housed this data is no longer accessible through the Internet and that the information has been deleted from search engines.
[Evan] Now that the vendor is out of business, I wonder how they handled data destruction on other computers/servers/storage devices.
The data included the name, Social Security number, address, and effective date for students enrolled in the health insurance plan
It did not include health information, credit card numbers or phone numbers, said spokesman Jim Lynch.
About 4,000 of the estimated 18,000 students affected are still enrolled at Ohio State, Lynch said.
On Dec. 30, 2008, the University mailed (via U.S Postal Service) letters to all students who were enrolled in the Student Health Insurance Plan during any of those four quarters.
Officials said they didn't notify students sooner because they wanted to protect individuals whose records might still have been vulnerable.
To answer questions, the school also has created a Web site -- studentlife.osu.edu/dataexposure -- and has provided a phone number for people who received the letters.
If you think you were enrolled during the relevant quarters and you do not receive the letter with information about the identity protection service by January 5, send an email with your full name to and we will check and let you know.
Stringent security precautions were written into the contracts with insurance company and the vendor who printed the cards, but unfortunately, those security provisions were not followed.
[Evan] Excellent. Writing precautions into the contracts is one issue, enforcing the precautions is another. Internally, this is not all that unlike writing an information security policy and just expecting your users to read and follow it.
the school is offering those affected 12 months of free credit protection
We have, over recent years, significantly reduced the use of Social Security Numbers and replaced them with unique OSU ID numbers which present almost no security risk.
The Student Health Insurance Plan no longer uses SSNs.
We adhere to very stringent security guidelines for sensitive data, and we will continue to upgrade our policies and security steps.
This incident could not occur today, but we will learn from it and be vigilant in protecting student information, especially when it is used outside the university.
[Evan] But this incident could occur today, and it did. Well maybe not today, but within the last six months anyway.
Commentary:
I missed reading about the original Ohio State mailing that went out about the 600 people affected earlier. It's not so easy to miss a breach affecting 18,000 though. Check out the comments made above. I don't feel much like adding anything else right now.
Stay tuned, a bunch of P2P breaches coming up...
Past Breaches:
Unknown
Date Reported:12/31/08
Organization:
The Ohio State University ("OSU")
Contractor/Consultant/Branch:
Streamline Print Services Inc.
Location:
Columbus, Ohio*
*Columbus, Ohio is the location of The Ohio State University, however this was an online incident, so the physical location of the breach is not clear
Victims:
"persons who were enrolled during the 2005-2006 academic year in the Student Health Insurance Plan offered by The Ohio State University"
Number Affected:
"Approximately 18,000"
Types of Data:
"name, address, group policy number, and OSU ID number (which, at that time, had the same digits as the student’s Social Security Number)"
Breach Description:
"Ohio State University has notified 18,000 current and former students that their names and Social Security numbers were mistakenly stored on a computer server exposed to the Internet."
Reference URL:
The Ohio State University Identity Alert
The Columbus Dispatch
The Columbus Dispatch (follow-up)
Chillicothe Gazette
Report Credit:
The Ohio State University
Response:
From the online sources cited above:
Ohio State University has notified 18,000 current and former students that their names and Social Security numbers might have made it to cyberspace.
A vendor doing work for Ohio State's student health insurance plan mistakenly stored the names on a computer server open to the Internet.
[Evan] This is a good example to use in justifying the extension of an organization's information security domain to include vendors, consultants, partners, and other third-parties granted access to sensitive information. Required third-party information security controls should be listed in contracts and compliance tested through regular assessments an audits.
Only students enrolled in the school's insurance program from fall 2005 through summer 2006 were affected.
Ohio State officials said students' personal information has been deleted from Internet search engines and they haven't heard of any identity thefts related to the incident.
"After thoroughly investigating this matter, we believe that it is highly unlikely that anyone has accessed this information in a fraudulent way," said Charles Morrow-Jones, director of information technology security.
[Evan] How can you come to the conclusion "that it is highly unlikely that anyone has accessed this information in a fraudulent way" when the information has been outside of your control for 3+ months on a public network?
OSU officials became concerned when a student found some of his personal data on the Internet in September.
The university took steps to have the file removed and notified about 600 people who were on that file.
It wasn't until four more students told Ohio State that they had found their information online in December that school officials realized they were dealing with a larger problem.
[Evan] Was the first investigation flawed by not being thorough enough to identify the root cause?
The problem arose when Streamline Print Services Inc. of Ohio placed the files on a server that was scanned and cached by Internet search engines.
The information was provided to a contractor to print student health ID cards and was never intended to be placed on an Internet-accessible server, officials said.
An employee working for the company hired to print your OSU Insurance ID card failed to clear the information from his computer.
The employee has been using the same computer as a web server, which enabled files to be accessed.
[Evan] Does this mean that an employee of the vendor used the same computer used for collecting sensitive customer information as a web server? Obviously (maybe not so obviously) not a good information security practice without better precautions.
Officials said Streamline Print Services is no longer in business, the server that housed this data is no longer accessible through the Internet and that the information has been deleted from search engines.
[Evan] Now that the vendor is out of business, I wonder how they handled data destruction on other computers/servers/storage devices.
The data included the name, Social Security number, address, and effective date for students enrolled in the health insurance plan
It did not include health information, credit card numbers or phone numbers, said spokesman Jim Lynch.
About 4,000 of the estimated 18,000 students affected are still enrolled at Ohio State, Lynch said.
On Dec. 30, 2008, the University mailed (via U.S Postal Service) letters to all students who were enrolled in the Student Health Insurance Plan during any of those four quarters.
Officials said they didn't notify students sooner because they wanted to protect individuals whose records might still have been vulnerable.
To answer questions, the school also has created a Web site -- studentlife.osu.edu/dataexposure -- and has provided a phone number for people who received the letters.
If you think you were enrolled during the relevant quarters and you do not receive the letter with information about the identity protection service by January 5, send an email with your full name to and we will check and let you know.
Stringent security precautions were written into the contracts with insurance company and the vendor who printed the cards, but unfortunately, those security provisions were not followed.
[Evan] Excellent. Writing precautions into the contracts is one issue, enforcing the precautions is another. Internally, this is not all that unlike writing an information security policy and just expecting your users to read and follow it.
the school is offering those affected 12 months of free credit protection
We have, over recent years, significantly reduced the use of Social Security Numbers and replaced them with unique OSU ID numbers which present almost no security risk.
The Student Health Insurance Plan no longer uses SSNs.
We adhere to very stringent security guidelines for sensitive data, and we will continue to upgrade our policies and security steps.
This incident could not occur today, but we will learn from it and be vigilant in protecting student information, especially when it is used outside the university.
[Evan] But this incident could occur today, and it did. Well maybe not today, but within the last six months anyway.
Commentary:
I missed reading about the original Ohio State mailing that went out about the 600 people affected earlier. It's not so easy to miss a breach affecting 18,000 though. Check out the comments made above. I don't feel much like adding anything else right now.
Stay tuned, a bunch of P2P breaches coming up...
Past Breaches:
Unknown
Posted by Evan Francen at 1/2/2009 3:14 PM 
Categories: Streamline Print Services, Ohio State University, Employee Mistake
Categories: Streamline Print Services, Ohio State University, Employee Mistake
Posts Atom 1.0
Comments