University of Minnesota says 2021 data leak may have compromised student info as far back as 1989
MINNEAPOLIS, Minn. -- The University of Minnesota confirmed on Thursday that a 2021 breach of a university database may have compromised personal information of students and staff dating back to 1989.
On July 21, 2023, the U of M learned of an individual claiming to have posted sensitive admissions data on the internet. After an extensive investigation into the claim's credibility, the university confirmed that a breach of its database occurred in 2021. According to a press release, this incident has not affected university operations.
The U of M has since confirmed that the incident has potentially affected individuals who submitted personal and sensitive information as a prospective student, attended the university as a student, worked at the university as an employee, or participated in university programs between 1989 and 2021.
Some of the information the individual has potentially gained access to includes full names, addresses, telephone numbers, Social Security numbers, driver's license or passport information, university I.D. numbers, birthdates and demographic information.
RELATED: Minnesota Department of Education hit by cybersecurity attack, 95,000+ students' data breached
The database that was breached held information supplied by financial aid applications that were either sent directly to the university or through the standard Free Application for Federal Student Aid form, which means that personal information (such as family income, Social Security numbers, contact information, etc.) from parents and/or guardians may have also been accessed.
Grace Kauffman is a senior at the University of Minnesota. She also works there as a TA, so she could've been a victim twice.
"I trusted the university with my personal information and didn't protect it. And that's really frustrating," Kauffman said. "When I saw social security as one of the data points taken from me potentially, I was like, 'holy crap this is really serious.'"
The university promises that safety is its number one priority and that recent scans of the university's electronic systems have not detected any "ongoing suspicious activity," said a press release.
The press release went on to say that the university is working with forensic professionals to improve its overall security system, including increasing data access control measures and reducing the number of authorized users to databases with sensitive information.
Additionally, the university may offer individuals affected by the breach 12 months of free credit and identity monitoring services through Kroll, a forensic accounting and mitigation company.
RELATED: How hackers gained access to Minnesota Department of Education data
Officials on Thursday declined to meet with WCCO for an interview, but promised in a letter to potential victims to strengthen cyber defenses and review its policies.
"I think decades raises a question as to whether the U was following their own retention policy or if they even have one," cyber expert Mark Lanterman said.
WCCO found that policy, updated last year, and, generally, the retention schedule says that everything except for transcripts should be wiped no later than 10 years after graduation and seven years after employment.
The university has begun contacting potentially impacted individuals, using the following email address: data-incident@notification.umn.edu. The university will be providing more details about steps being taken in response to the incident.
If you believe you may have been impacted by this data breach or have any additional questions, visit the UMN's website.