OU leaves server in hackers' hands for a year

For at least a year, a Ohio University system that contained Social Security numbers belonging to 137,000 people has been under the control of American and overseas hackers, the school's CIO told News.com recently. That's just one of several serious computer breaches at the university, prompting a sweeping overhaul of OU's IT department.

"That's unbelievable," said Avivah Litan, security analyst with research firm Gartner. "I have never heard of that much of a delay. Why would it take a year to discover this? It doesn't make any sense."

What's also alarming to Litan is that a year-long compromise could go undetected at a time when universities should be operating on high alert. Over the past year, numerous media reports have chronicled security breaches at such schools as Notre Dame, Purdue and Georgetown universities.

But universities are infamous for data leaks. Litan estimates that a third of all data leaks are at universities. Why? Lots of SSNs, for sure. But the kicker: She says universities don't take security serious enough. "They don't want to spend money on it," Litan said.

Then there's the free-flow of information. "If you're a corporation, you can just lock everything down," CIO Bill Sams said. "We don't have that luxury. The academic side is trying to find a line between maximum flexibility and data security...We need someone somewhere to come up with a set of best practices for schools."

So what happened?

A server supporting the alumni relations department was supposed to be offline, Sams said. The people responsible for shutting it down thought they had done so. The server continued to be connected to the Internet but didn't receive security updates. It was the equivalent of leaving a backdoor open for thieves to walk in and seize what they wanted.

The culprits who broke into the other two servers made off with health records belonging to students treated at the university's health center, as well as Social Security numbers of an additional 60,000 people.

"We had a failure of both policies and procedures," Sams said. Asked why, when so many schools were succumbing to computer attacks, Ohio University wasn't quicker to order a security audit, Sams replied: "Should we have? Yes. Did we? No."