As part of the review of a report completed by an independent auditor, Ohio University suspended Thomas Reid, the school's director of communication network services, and the unnamed manager of Internet systems, pending a disciplinary hearing.
The three breaches -- which took place in late April and early May -- included one in which hackers hijacked a university computer and used it to launch a denial-of-service (DoS) attack on an outside network.
"As president of Ohio University, I am angry and embarrassed by the computer security system lapses that were undetected before my time as leader of the university," said Roderick McDavis in a statement. "While we cannot correct mistakes of the past, I am determined that the university will learn from these oversights and make the appropriate changes."
The report recommended the suspension of the two managers and a restructuring of the school's IT organization.
McDavis also asked for $2 million to beef up security, which would include deploying anti-virus protection on every Windows server. The university will also conduct an audit of all server accounts "to determine if any have been compromised and to verify password enforcement, complexity, and length requirements," he added.
The hackers' exact method of compromising Ohio's systems has not been disclosed, but McDavis' outlined remediation suggests that a Windows server was attacked, perhaps in a brute-force password assault.
"[We] will aggressively implement the independent report's recommendations," McDavis promised.