The University of Minnesota on Thursday confirmed that a hacker "likely gained unauthorized access" to three decades' worth of sensitive information pertaining to applicants, students and employees.
The exact nature of the information accessed varied depending on the person's connection to the university, but the list of data obtained included things like dates of birth, Social Security numbers and passport information, according to a U news release. The university said its investigation "showed no evidence that donation, medical treatment, password, or credit card information was in the database" that was accessed.
The disclosure comes two months after the Cyber Express, a news site focusing on cybersecurity issues, published a report outlining a hacker's claims to have accessed some 7 million Social Security numbers dating to 1989. The report said the hacker accessed the university's data warehouse to analyze the effects of affirmative action in the wake of a recent U.S. Supreme Court ruling that limits the consideration of race in college admissions.
The university is facing six lawsuits from former students, employees and others who claim the U didn't do enough to protect their sensitive data or to promptly notify them of the breach. Some of the university's initial responses to those suits are due in the coming days.
"Obviously, this is a very serious breach. We think it implicates a lot of serious concerns about data security and data retention," said Brian Gudmundson, a lead attorney on one of the lawsuits. "We look forward to getting to the bottom of it and making sure that there is redress for the people who are impacted."
The university has said it hired an outside firm to help investigate the hacker's claims after learning of them July 21. On Thursday, the U released some details of that probe.
The university said it believes the incident "potentially affected" people who applied to the university, enrolled, worked for the university or participated in university programs between 1989 and August 2021. As a result of the investigation, the U believes the data was accessed in 2021, according to spokesperson Jake Ricker.
The breach is also being investigated by the Minnesota Bureau of Criminal Apprehension, and the FBI's Minneapolis office has said it is "aware of the situation."
"The safety and privacy of all members of the University community are a top priority, and the University has increased its vigilance in securing information that it maintains," university officials said in a news release, adding that they had reduced the number of people authorized to access sensitive information, increased monitoring for suspicious activity and taken other steps aimed at boosting security.
The U said it will offer 12 months of free credit and identity monitoring services to people affected by the breach. It is sending notices via email, from the address firstname.lastname@example.org.
"The University's notification approach is aimed at notifying potentially affected individuals whose private data may have been accessed so, out of an abundance of caution, we are notifying all individuals identified with any data element in the data warehouse," Ricker said. "The University will send email notifications to approximately two million individuals as part of its notification efforts."
People who don't have a current email address on file with the U can find additional information at system.umn.edu/data-incident.
The following are the types of information that the university said were potentially accessed, depending on the person's affiliation with the U:
Prospective students (and parents or guardians): Information supplied in admissions or financial aid applications submitted directly to the University or through the standard Free Application for Federal Student Aid (FAFSA) form, including student and parent or guardian names, contact information, Social Security numbers, dates of birth, student high school and high school grade information, standardized test scores, demographic information and family income.
Students: Information related to the individual's education, including student contact information and parent or guardian names and addresses, student email addresses, Social Security number, student ID number, date of birth, classes, grades, demographic information, insurance policy number, loan data, degree and diploma year.
Employees: Information related to the individual's work, including name and address, email address, Social Security number, employee ID number, date of birth, driver's license or identification card, and payroll information (but not bank account information).
Others: Similar categories of information as described above, if provided by individuals with unpaid university appointments, those who performed work for the university, those who received taxable payments from the university, and university volunteers or spouses/partners of certain university administrators.
This story is developing and may be updated.