Ohio State data breach caused by a third party
A file containing the personal information of Ohio State University students was posted to the internet by the employee of a third party vendor that prints OSU Insurance ID cards.How many victims? 18,000.
What type of personal information? Names and Social Security numbers, insurance group policy number, and OSU ID number (which, at that time, had the same digits as the student’s Social Security Number). The information did not include any health information, credit card numbers or phone numbers.
What was the response? A website was created to provide information about the breach. The university is informing affected individuals with a letter and making free identity protection available for 12 months to those whose data was exposed.
Details: The file involved current and former Ohio State University students who were enrolled in the university-sponsored Student Health Insurance Plan during the 2005-2006 academic year (Autumn 2005 through Summer 2006).
Security precautions were written into the contracts with insurance company and the vendor who printed the cards, but those security provisions were not followed.
Source: http://www.studentlife.osu.edu/dataexposure/, The Ohio State University Office of Student Life: Data Exposure.
