Personal data on 72,000 staff taken in University of Delaware hack

Filed Under: Data loss, Featured, Hacked, Java, Vulnerability

University of Delaware logoThe University of Delaware (UD) has joined the long line of recent data breach victims, with a compromised university system yielding personal information on 72,000 past and present employees.

UD authorities have notified those affected by mail, and email where possible. Investigators have been called in to pin down the scale of the breach, identify any additional risks and ensure those affected are properly informed.

A system has been set up to allow those not yet in receipt of full information to check if they are affected, and all affected staff have been offered credit monitoring services to keep an eye out for potential identity theft.

As the data taken includes names, addresses and Social Security numbers as well as university ID numbers, the risk of identity theft is high. Anyone who believes their information may be recorded on UD databases should check on their status ASAP.

The FBI and forensic teams are probing further, but so far few specifics have emerged, beyond the rather vague statement in the official announcement that the breach was down to "a vulnerability in software acquired from a vendor" - basically saying the fault was with some piece of software not created internally, which doesn't really narrow the field very much.

However, local news sources claim the flaw was in Struts2 software, which suggests the hack is related to Java, unsurprisingly.

PII. Image courtesy of ShutterstockThe UD response seems to be exemplary in its thoroughness, with the offer of credit monitoring particularly praiseworthy. Perhaps the same cannot be said for their data security processes, allowing such sensitive data to be accessed remotely in the first place.

Promptness is also perhaps something of an issue, with the same local news report suggesting that the breach was first spotted more than a week ago, leading to sections of the university website being inaccessible for a time.

UD is a major research institution, and one of the oldest universities in the US, tracing its history back to a class group which included three signatories of the Declaration of Independence; current Vice President Joe Biden is a former student there.

As investigations into the scale of the breach continue, we can only hope the data taken is limited to the PII already disclosed.

Image of Social Security cards courtesy of Shutterstock.

, ,

You might like

2 Responses to Personal data on 72,000 staff taken in University of Delaware hack

  1. Barry · 263 days ago

    Reminds everyone again why planning ahead and ensuring we take steps to protect our data instead of relying on the companies storing our data is always a good idea.

  2. Mike · 262 days ago

    Not surprisingly, a browsing of their IT staff directory lists about 100 people, not a single one of which has a title anything remotely to do with security. I bet if we check again in 6 months we might see that change......

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.