Remember back in December when Ohio State University announced that it had detected a breach at the end of October and would be notifying 760,000 people who had personally identifiable information on the server? It seems that they are still trying to notify some of them.
Encarnacion Pyle reports in The Columbus Dispatch:
A hacker hasn’t hit another computer server at Ohio State University. But the school has sent 226,000 letters, mostly to alumni, in the past couple of weeks about free credit-monitoring services.
Ohio State uncovered a breach in late October and began notifying people whose data might be at risk. The original list of 760,000 students, professors and others who do business with Ohio State contained some outdated addresses, officials said yesterday. So the university recently has sent out new letters to what officials hope are their current addresses.
“Let me tell you, it’s hard to find 760,000 people,” said Jim Lynch, OSU’s spokesman.
Well yes, I imagine it would be. Which seems to be yet another excellent reason not to keep so much non-current data on a server connected to the Internet. By now, it’s somewhat discouraging that some entities still don’t seem to have learned that lesson. Maybe there should be a penalty surcharge for breaches involving data that are past their freshness date but were left connected to the Internet.
Yet another argument for a national mandatory data breach list that would be available to the public. It should include letter of notification so that those who have moved could look it up themselves. Media notification is the standard now but what if they moved out of Ohio? We live in a mobile society with one statistic stating that 17% of the nation moves annually. Change of address every 6 years – not too unreasonable to believe especially when people must move to find work.