Higher Education

63,000 Personal Records Compromised in UCF Breach

Ryan Heitsmith | March 7, 2016

Students and faculty from the University of Central Florida have filed a class action lawsuit alleging that the university failed to notify affected individuals of data loss resulting from a cyber attack in a timely manner. On February 4th, 2016 UCF disclosed a breach of their network impacting the personal information of 63,000 individuals, both students and faculty. According to a university web page set up to inform affected individuals, the breach was discovered sometime in January, though the pending lawsuit states that administrators may have had knowledge of the event as early as December of 2015.

At this time, few details are known about the means that the attackers used to compromise UCF’s security. 2015 saw a variety of breach types across the higher education industry. A North Carolina State University server was compromised in a hack that exposed payment card information for 5,962 individuals and Ohio’s John Carroll University identified PII-capturing malware on their servers.

Information provided by UCF advises that two specific groups were impacted in the breach. The first is composed of current and 2014-2015 student-athletes and athletic staff. The larger group consisted of current and former employees, including students in work-study positions and adjunct faculty members. Attackers gained access to individuals’ first and last names, social security numbers and university-issued id numbers. In the cases of student athletes, limited educational and athletic information was also compromised. The university has conclusively determined that no other personal information is at risk of exposure.

Download BitSight Insight: How BitTorrent File Sharing Impacts Vendor Risk and Security Benchmarking

The University of Central Florida is assisting law enforcement in attempts to learn more about the cause of the data breach and, additionally, has launched an internal investigation with the aid of a leading digital forensics firm. In the wake of this security incident University President, John C. Hitt called for a comprehensive review of the university’s security practices. UCF has established a dedicated webpage and call center line to answer questions relating to the incident. Impacted individuals can expect to receive a mailed notice in compliance with state data breach notification laws along with complimentary subscriptions to one year of credit monitoring and identity protection services. The entirety of the fallout from this breach remains to be seen. The approximately 63,000 affected individuals could find themselves further victimized by identity theft or fraud. Following the conclusion of the class action lawsuit, the university will be faced with the difficult task of rebuilding confidence among its student body and staff.

As we’ve noted in previous posts, many colleges and universities face major security challenges. It is common that IT teams are tasked with securing large networks with limited budgets and resources. However, there are many steps colleges and universities can take to improve their security posture.

In this webinar excerpt, see how Chris Schreiber, Information Security Officer for the University of Arizona uses BitSight to mitigate cyber risks.

Suggested Posts

63,000 Personal Records Compromised in UCF Breach

Students and faculty from the University of Central Florida have filed a class action lawsuit alleging that the university failed to notify affected individuals of data loss resulting from a cyber attack in a timely manner. On February...

READ MORE »

2015 University Data Breaches

In 2015, many college and universities suffered substantial data breaches. In each case outlined below, universities lost personally-identifiable information (PII) on thousands of individuals, from their student bodies to faculty and...

READ MORE »

Subscribe to get security news and updates in your inbox.