Almost a year after one of the largest security breaches in higher education history, an entire department at Ohio State remains silent, stories don’t line up, a top information technology official has retired and many questions remain unanswered.
On Oct. 22, 2010, the university discovered that a server, which fell under the responsibilities of the Office of the Chief Information Officer, had been breached and the identities of about 760,000 people had been jeopardized.
On Dec. 15, the university notified current and former faculty, students, applicants and others affiliated with the university that a hacker had accessed the server containing their names, dates of birth, addresses and Social Security numbers.
Yet when any IT official was asked about the breach, they referred The Lantern to Jim Lynch, university spokesman.
“You really need to call University Communications,” said Catherine Bindewald, communications director for the Office of the Chief Information Officer.
As the university’s only voice on the security breach, Lynch supplied The Lantern with several email chains regarding the incident.
Documents The Lantern obtained in March through open records requests show that Kathleen Starkoff, the university’s CIO and Steve Romig, associate director of IT security in the CIO’s office, have no email records containing the phrase “data breach” before Dec. 5.
However, documents obtained in June through a search that included the terms “data incident,” “data breach,” “hack,” “data hack,” “hacking incident,” “security breach,” “security incident” or “security hack” revealed more.
Furthermore, the results of both open records requests were returned the first day of finals week following Winter and Spring quarters, respectively — the day the quarter’s last print edition of The Lantern had been published.
In an email chain included in the documents Lynch provided, Charles Morrow-Jones, director of IT security, informs some of his coworkers of a “potential data exposure” on Oct. 14. The committee then met Oct. 20 to discuss the matter.
When asked if this “exposure” and the security breach that OSU said happened Oct. 22 were the same, Lynch said the two were unrelated.
“Chuck Morrow Jones could tell you what the Oct. 20 meeting entailed (I just can’t remember … perhaps a stolen laptop),” Lynch said in an Aug. 2 email.
The Lantern tried to call Morrow-Jones the last week of August after emails had gone unreturned for almost a month, but he had retired June 30.
Susan Hatfield, administrative assistant for the Office of the CIO, said there is an interim director of IT security and they hope to have someone permanent soon. Hatfield said she did not know what happened during the Oct. 20 meeting.
“I was told that Jim Lynch would have all the information you would need,” Hatfield said.
Morrow-Jones is still listed as the director of IT security on the Office of the CIO website. No interim director is listed on the site. Lynch did not respond to multiple Lantern emails asking for the name of the interim director of IT security.
When contacted this week by The Lantern, Lynch replied in an email, “I don’t recall ever referring Ally (then-Lantern campus editor) to Chuck Morrow Jones.”
In a Dec. 7 email, Bindewald, the communications director for the CIO’s office, asked her colleagues if the incident had been reported to law enforcement.
“Yes, in the sense that Lt. (Rick) Green is a regular member of the data incident response team and attended the meeting we had to initially discuss it,” Romig replied.
In the documents, Romig confirmed that as of Dec. 8, a police report about the breach had not been filed.
Lynch referred The Lantern to Green as to why it took more than a month to file a police report.
“Lt. Rick Green attends most of the data committee meetings (it’s a broad-based committee.)” Lynch said in an Aug. 2 email. “My hunch is that after the university discovered the incident it took a significant amount of time to determine what data was on the computer and whether or not that data was compromised.”
But in December, Green did not know about the meeting.
“Is this the meeting I left early?” Green asked in a response to Romig’s Dec. 7 email. “If so I was not informed of a report and don’t know the details.”
OSU police chief Paul Denton, who spoke on behalf of Green, said the report wasn’t immediately filed because it took time to determine the severity of the breach.
“There was extensive technical analysis that occurred before it was determined what the source or the extent of the intrusion that occurred,” Denton said.
OSU police rely heavily on the technical assistance of the CIO in determining if a cyber crime has occurred, Denton said. An investigative supervisor or a detective who is also a member of the FBI’s Cyber Crimes Task Force attends the data breach committee meetings. This representative is not always Green.
“The purpose of the committee is to review the circumstances and the additional discussion is to attempt to learn if there was a policy violation, if this was some kind of technical problem or was there a possible criminal violation,” Denton said. “The only time a police report would be filed is if there is some evidence … that a criminal violation has occurred.”
Denton said the breach continues to be an open investigation for OSU PD and the FBI local office.
The university determined that no data was compromised or taken from the system, Lynch said in his Aug. 2 email.
After the breach, the university hired two computer security-consulting firms, Interhack Corp., based in Columbus, and Stroz Friedberg LLC, a New York-based firm.
According to an original estimate Lynch provided, OSU budgeted $200,000 and $22,000 for Stroz Friedberg and Interhack, respectively.
Additionally, $100,000 was budgeted for Vory’s, a legal consultant, and $50,000 for Adelman, a communications consultant.
For Experian, the incident notification consultant, OSU put aside $3.7 million, bringing the total estimated cost to $4.1 million. The university’s operating funds will go toward the costs, Lynch said.
The Lantern is still awaiting subsequent requests for the most recent estimates on how much the breach will cost OSU.
OSU hired Experian to provide year-long credit protection for those affected. OSU bought 500,000 activation codes from Experian, costing $3.19 each, for a total of nearly $1.6 million.
Chatas and Stroz Friedberg did not return calls for comment. Interhack declined comment.
On April 19, The Lantern reported on the university’s silence, and six months later, most questions remain unanswered.
Thomas Bradley contributed to this story.