University server in hackers' hands for a year

Intruders go undetected in total on three servers containing student data at Ohio University.

Greg Sandoval Former Staff writer
Greg Sandoval covers media and digital entertainment for CNET News. Based in New York, Sandoval is a former reporter for The Washington Post and the Los Angeles Times. E-mail Greg, or follow him on Twitter at @sandoCNET.
Greg Sandoval
3 min read
An unprecedented string of electronic intrusions has prompted Ohio University to place at least one technician on paid administrative leave and begin a sweeping reorganization of the university's computer services department.

Bill Sams, Ohio University's chief information officer, said he initiated the reorganization on Friday. The Athens, Ohio-based university is reacting to recent discoveries that data thieves compromised at least three campus computer servers.

In a disclosure that hasn't been widely reported, one of the compromised servers, which held Social Security numbers belonging to 137,000 people, was penetrated by U.S. and overseas-based hackers for at least a year and possibly much longer, Sams said in a phone interview Sunday with CNET News.com.

At least one security expert was astonished that a compromise could go undetected for so long.

"That's unbelievable," said Avivah Litan, security analyst with research firm Gartner. "I have never heard of that much of a delay. Why would it take a year to discover this? It doesn't make any sense."

What's also alarming to Litan is that a year-long compromise could go undetected at a time when universities should be operating on high alert. Over the past year, numerous media reports have chronicled security breaches at such schools as Notre Dame, Purdue and Georgetown universities.

Ohio University only became aware that a problem existed after the FBI discovered someone had remotely taken control of one of the school's servers.

Litan estimates that a third of all data leaks are at universities. She says information bandits are preying on the nation's colleges for three reasons. First, the schools possess Social Security numbers and other information useful in committing identity theft. Secondly, she says universities don't take security serious enough.

"They don't want to spend money on it," Litan said.

Lastly, universities are at a disadvantage because they must keep information free flowing. Part of their mission is to share knowledge. While the Internet has simplified that task, it has also presented greater risks.

At the time of the attacks at Ohio University, the school operated 90 servers, Sams said. And that was just the school's primary computer network; more servers are operated by individual university departments.

"If you're a corporation, you can just lock everything down," Sams said. "We don't have that luxury. The academic side is trying to find a line between maximum flexibility and data security...We need someone somewhere to come up with a set of best practices for schools."

How a server could be left open to intruders is still under investigation. But this much is known: A server supporting the alumni relations department was supposed to be offline, Sams said. The people responsible for shutting it down thought they had done so. The server continued to be connected to the Internet but didn't receive security updates. It was the equivalent of leaving a backdoor open for thieves to walk in and seize what they wanted.

The culprits who broke into the other two servers made off with health records belonging to students treated at the university's health center, as well as Social Security numbers of an additional 60,000 people.

"We had a failure of both policies and procedures," Sams said. Asked why, when so many schools were succumbing to computer attacks, Ohio University wasn't quicker to order a security audit, Sams replied: "Should we have? Yes. Did we? No."