Students and faculty from the University of Central Florida (UCF) have filed a class action lawsuit alleging that the university failed to notify affected individuals of data loss resulting from a cyber attack in a timely manner.
The UCF data breach: what happened
On February 4, 2016, UCF disclosed a breach of their network impacting the personal information of 63,000 individuals, both students and faculty. According to a university web page set up to inform affected individuals, the UCF data breach was caused by a computer virus and discovered sometime in January — though the pending lawsuit states that administrators may have had knowledge of the event as early as December of 2015.
The UCF data breach was one of a variety of breaches that occurred across the higher education industry in 2015. A North Carolina State University server was compromised in a hack that exposed payment card information for 5,962 individuals and Ohio’s John Carroll University identified PII-capturing malware on their servers.
Information provided by UCF advises that two specific groups were impacted in the breach. The first was composed of student-athletes and athletic staff. The larger group consisted of current and former employees, including students in work-study positions and adjunct faculty members. Attackers gained access to individuals’ first and last names, social security numbers, and university-issued ID numbers. In the cases of student athletes, limited educational and athletic information was also compromised. The university conclusively determined that no other personal information was at risk of exposure.
Fallout from the UCF data breach
UCF assisted law enforcement in attempts to learn more about the cause of the data breach and, additionally, launched an internal investigation with the aid of a leading digital forensics firm.
In the wake of this security incident, University President John C. Hitt called for a comprehensive review of the university’s security practices. UCF has established a dedicated webpage and call center line to answer questions relating to the incident. Impacted individuals received a mailed notice in compliance with state data breach notification laws along with complimentary subscriptions to one year of credit monitoring and identity protection services.
Years later, the entirety of the fallout from this breach remains to be seen. The approximately 63,000 affected individuals could find themselves further victimized by identity theft or fraud. Following the conclusion of the class action lawsuit, the university remains faced with the difficult task of rebuilding confidence among its student body and staff.
As we’ve noted in previous posts, many colleges and universities find themselves subject to major security challenges. It is common that IT teams are tasked with securing large networks with limited budgets and resources. However, there are many steps colleges and universities can take to improve their security posture including gaining visibility into digital assets so they can be secured, continuously monitoring those assets for vulnerabilities, and measuring and assessing the security performance of vendors and partners — for the life of the relationship.
This post was updated on January 25, 2021.
In this webinar excerpt, see how Chris Schreiber, Information Security Officer for the University of Arizona, uses BitSight to mitigate cyber risks: