A computer hacker who broke into a database at St. Paul-based Metropolitan State University likely exposed personal information on as many as 160,000 people, officials said this week.

An investigation of the security breach, which was first disclosed in January, concluded that the hacker tapped into a database that included birth dates, home addresses and other personal information dating back 18 or 19 years, according to interim President Devinder Malhotra.

The database included not only current and former students, but some people who contacted the school but never enrolled, he said.

"We took this seriously, and we wanted to be as transparent as possible," Malhotra said. He also apologized for the security breach, which he called "a criminal act," and said the university has taken steps to prevent a repeat occurrence.

The investigation, which concluded this week, found that about 11,000 students had parts of their Social Security numbers — the last four digits — in the hacked database. Officials said they are notifying those students individually by mail this week.

But Malhotra said there was no evidence that any of the personal information had been misused.

In February, the university reported that the Social Security numbers of 900 faculty members were exposed. The data involved faculty who taught at the university between 2004 and 2009.

Maura Lerner