Encarnacion Pyle follows up on a recent student news story that Ohio State University has about 10 breaches per year with some additional details:
[…]
Ohio State has checked into six possible cases in the past year and found four minor breaches in which the names and Social Security numbers of employees or current and former students might have been stolen from individual computers.
In those four instances, 30 to 385 people might have been affected, said Catherine Bindewald, spokeswoman for OSU’s Office of the Chief Information Officer. She said there are no indications that any data was misused, and no one has reported misuse of their identity.
“The low number of incidents and the minor nature of those breaches are good news when you consider that we have about 35,000 faculty and staff members and 60,000 students,” Bindewald said.
So 386 people having their SSN stolen is a “minor” breach? Or is it only minor because there have been no reports (as yet, anyway) that the data were misused? I do appreciate that things could have been much worse, but characterizing breaches as “minor” may be misleading — particularly if you are one of the people whose data were stolen.
The university’s director of IT security notes the changes and improvement over recent years:
He said Ohio State hasn’t used Social Security numbers in student records for about two years.
The number of data-breach investigations has dropped since the school beefed up security and added a $50 million student-information system that lets staff members obtain admissions, academic-advising, financial-aid and other student records.
Ohio State’s information-security plan requires encryption of sensitive information on university laptops and mobile devices.
It’s nice to see that investment in security is paying off.
Read more in the Columbus Dispatch.