Ohio State University sent out data breach notices last week to roughly 18,000 current and former students, alerting them that their personal information, including addresses and at least partial Social Security numbers, had been posted on the Internet.
Only students who were enrolled in the university’s Student Health Insurance Plan during the 2005-06 academic year were affected. About 4,000 of those students are currently enrolled.
According to the letter, it’s another screw up by a contractor handling outsourced work. In this case, the company mistakenly posted the info on an Internet server. The OSU Office of Student Life has posted an FAQ on the Internet in which they say stringent security precautions were part of their contract, but the vendor failed to meet those standards.
University officials said they thought they’d already effectively dealt with the data breach after a student reported having seen his personal information on the Internet. OSU removed the file containing his info and that of 600 others. But, darn, four more students came forward in December and said their personal information was also posted on the Internet.
This is OSU’s first reported data breach, which isn’t bad considering educational institutions accounted for more than 20% of the 342 reported data breaches in the first half of 2008.
The type of data breach OSU experienced—the inadvertent posting of personal and financial information on the Internet—accounted for 15% of all data breaches in that same period. Lost and stolen laptops, PDAs and other mobile devices accounted for more than 20% of the breaches.