August was an especially busy month for hackers, thieves and inept university IT employees. There were nine reported data breaches at American educational institutions last month—hackers were blamed for two; thieves for three; and, inept employees who inadvertently exposed personally identifying information caused three more.

The ninth incident occurred at the University of Texas, Brownsville and involved student and employee fraud. The security breach involved stolen test answers and no personally identifying information was revealed.

The total reported number of compromised records is low—roughly 2,000—but three of the universities failed to reveal the number of compromised records, so the total is undoubtedly higher.

• University of Oregon
  Unauthorized disclosure
  Roughly 20 student records exposed because of a flaw in the university’s degree auditing system.
• University of California, Berkeley
  School of Journalism
  Hacking
  Names, birth dates, and Social Security numbers of 493 students who applied for admission between September 2007 and May 2009 were vulnerable when the school’s web server was breached.
• Louisiana State University
  Unauthorized disclosure
  Number of affected records unknown
  Students’ personal information, including names and Social Security numbers, was inadvertently posted on an LSU web site.
• Northern Kentucky University
  Computer theft
  Names and Social Security numbers of at least 200 current and former students were contained on a laptop stolen from an on-campus, secured location. There was no mention of whether the information was encrypted or password-protected.
• California State University, Los Angeles
  Computer theft
  Names, address and Social Security numbers of more than 600 CSULA employees and former students were contained on two desktop computers and 12 laptops stolen from campus.
• Boston University
• ROTC Program
  Unauthorized disclosure
  6,675 ROTC students (406 from BU; the balance from other ROTC programs around the country) were affected when their records were inadvertently exposed on the Internet via a file-sharing program installed on a university computer.
• University of Massachusetts, Amherst
  Hacking
  Number of affected records unknown
  20 years of student records exposed in a data breach, which occurred last year between September 15 and October 27. Information includes names, Social Security numbers and some credit card information of current and former students who attended the university between 1982 and 2002.
• Bluegrass Community and Technical College, Lexington, KY
  Theft
  Little information is available, other than that personal information including Social Security numbers of 100 or fewer students was stolen from the college.

Information for this post was gathered from ESI (Education Security Incidents). For more information on data breaches at colleges and universities, visit www.adamdodge.com/esi/month/2009/08.