Hackers stole the names, addresses, phone numbers, email addresses and passwords of more than 600 Ohio State College of Dentistry affiliates in a recent data breach, and Oct. 1, that information was released on the Internet.
At least one person whose information was exposed was not informed of the breach.
“This is the first I’ve heard of it,” said Robert Uhle, assistant professor at the College of Dentistry.
University spokesman Jim Lynch said in an email that Ohio law only requires data breach notification if the compromised data could lead to identity theft, and the data taken in this incident didn’t pose that threat.
“For Ohio State, the information accessed was five-year-old, non-restricted data from the College of Dentistry,” Lynch wrote. “This vulnerability was addressed within less than one half-hour after we noticed suspicious server activity, and thankfully no restricted data was taken from the system.”
OSU was one of more than 50 universities attacked by TeamGhostShell. In a statement posted on Pastebin.com, TeamGhostShell said that the purpose of the hack was to “raise awareness towards the changes made in today’s education.”
The hackers also released details of 245 financial transactions at the College of Dentistry, but the released data did not include credit card numbers or other personally identifying information. In their statement, TeamGhostShell said that they deliberately kept the leaked information to a minimum.
According to TeamGhostShell, more than 120,000 individual accounts and records were posted as a result of the hack.
OSU is investigating the incident, and has removed the hacked server from service.
Aaron Titus, chief privacy officer at Identity Finder, a company that focuses on sensitive data protection, wrote in a post on the Identity Finder website that the leaked data from all universities contained more than 36,000 email addresses but included no credit card information or social security numbers and only one bank account number. The multiple-university leak also contained dates of birth, citizenship statuses, marriage statuses, gender information, payroll information and employee IDs.
“Although the hackers claim to have posted 120,000 accounts, Identity Finder could only confirm around 40,000 accounts exposed,” Titus said in the post. “(Forty-thousand) is still a large number, and it is possible that the hackers had access to far more.”
The hackers hit at least 116 servers across 53 institutions. The list of affected universities includes Tokyo University, the University of Berlin, University of Michigan, John Hopkins and Imperial College London.
Neither the College of Dentistry nor the Office of the Chief Information Officer responded for comment.