The University of Michigan has recently released the findings of its investigation into a data breach that occurred in August. The breach was discovered when the university noticed suspicious activity on its campus network. In response, the university took immediate action to contain the incident by disconnecting the network from the internet. The investigation revealed that an unauthorized third party was able to access certain university systems from August 23 to August 27.
The data breach exposed personal information of various individuals associated with the university, including students, applicants, alumni, donors, employees, contractors, University Health Service and School of Dentistry patients, and participants in research studies. Approximately 230,000 people may have had their information at risk, and the university has begun notifying them through letters.
The specific data elements that were exposed vary depending on the individual. For most people, their Social Security number, driver’s license or government-issued ID number, financial account or payment card number, and/or health information may have been exposed. Patients and research participants may have had additional information exposed, such as medical records, diagnosis, treatment, medication history, and information related to participation in research studies.
To support potential victims of data theft, the university is providing advice on best practices, points of contact for law enforcement, and free credit monitoring services. Michigan’s Attorney General has also established a website offering advice to those affected by the breach.
Unfortunately, this incident is not unique to the University of Michigan. Universities are often targeted by cybercriminals due to the large amount of personal information they hold on students, faculty, and alumni. This data is valuable to cybercriminals who can sell it or use it for other malicious activities. Security awareness advocate James McQuiggan stresses the importance of organizations being prepared to respond to attacks and communicate internally and externally when such incidents occur.
The university has received praise for its transparency and handling of the investigation and disclosure of the breach. Sean Deuby, Principal Technologist at Semperis, commends the university for its quick action in disconnecting the network to limit data exfiltration. However, securing networks and data with such a wide range of access is challenging. Social engineering attacks, such as phishing, are often the initial point of entry for cybercriminals. It is crucial for institutions of higher education to conduct security awareness training and implement measures to monitor and detect unauthorized changes and activities.
Ultimately, the University of Michigan’s data breach serves as a reminder of the ongoing threats universities face from cybercriminals. The incident highlights the importance of robust cybersecurity measures and proactive incident response strategies to protect sensitive information and mitigate the potential impact of breaches. By prioritizing security and staying vigilant, universities can better defend against these attacks and safeguard the personal data of their students, faculty, and alumni.