The University of Delaware (UD) has joined the long line of recent data breach victims, with a compromised university system yielding personal information on 72,000 past and present employees.
UD authorities have notified those affected by mail, and email where possible. Investigators have been called in to pin down the scale of the breach, identify any additional risks and ensure those affected are properly informed.
A system has been set up to allow those not yet in receipt of full information to check if they are affected, and all affected staff have been offered credit monitoring services to keep an eye out for potential identity theft.
As the data taken includes names, addresses and Social Security numbers as well as university ID numbers, the risk of identity theft is high. Anyone who believes their information may be recorded on UD databases should check on their status ASAP.
The FBI and forensic teams are probing further, but so far few specifics have emerged, beyond the rather vague statement in the official announcement that the breach was down to “a vulnerability in software acquired from a vendor” – basically saying the fault was with some piece of software not created internally, which doesn’t really narrow the field very much.
The UD response seems to be exemplary in its thoroughness, with the offer of credit monitoring particularly praiseworthy. Perhaps the same cannot be said for their data security processes, allowing such sensitive data to be accessed remotely in the first place.
Promptness is also perhaps something of an issue, with the same local news report suggesting that the breach was first spotted more than a week ago, leading to sections of the university website being inaccessible for a time.
UD is a major research institution, and one of the oldest universities in the US, tracing its history back to a class group which included three signatories of the Declaration of Independence; current Vice President Joe Biden is a former student there.
As investigations into the scale of the breach continue, we can only hope the data taken is limited to the PII already disclosed.