The University of Minnesota recently confirmed a significant data breach that has exposed sensitive personal information of students, faculty, and staff. This acknowledgement follows a detailed report from cybersecurity researchers investigating claims made by a hacker on a dark web forum.
On July 15, a hacker alleged they had accessed a staggering 7 million Social Security numbers after infiltrating a data storage warehouse used by the university. The hacker touted having uncovered "basically all records the university has since they began digitizing in 1989,” raising serious concerns about the extent of the breach.
The motivations behind the attack appear to be linked to the recent U.S. Supreme Court ruling that invalidated affirmative action policies. In a shocking call to action, the hacker invited others to categorize the stolen data based on race and admission test scores. Cyber Express was the first to highlight the existence of this post, with reports surfacing on July 21, although the university did not immediately respond.
This week, the university addressed the situation publicly for the first time, revealing that it had initiated an investigation shortly after the hacker's claims became known. A spokesperson for the university stated, "We began an investigation on July 21, hiring an outside global forensics expert to help determine the validity of the party’s claims, and to ensure the security of the University’s systems.”
Preliminary findings from the investigation indicate that the data allegedly accessed dates back to 2021 and earlier. "The preliminary assessment is that the data at issue is from 2021 and earlier," the spokesperson explained. This revelation has raised questions regarding the relevance of the data at the time the breach was reported.
"The preliminary assessment is that the data at issue is from 2021 and earlier,"
Concerns about privacy have led the university to commit to notifying individuals whose sensitive personal data may have been accessed. "To the extent any sensitive personal data was accessed, the University will notify affected individuals and provide resources to help protect against misuse of their information, as required by federal and state law, University policies, and in accordance with our obligations to the University community," the spokesperson emphasized.
In line with these obligations, the university has also informed appropriate state and federal regulatory agencies about the breach. While declining to elaborate on the reasoning behind the timeframe for the affected data, the spokesperson assured that the institution has been proactive in enhancing its cybersecurity measures since 2021.
"Since we became aware of the breach, we have conducted additional scans that did not reveal ongoing suspicious activity related to the incident," they added. The university continues to work closely with law enforcement as the investigation progresses.
"Since we became aware of the breach, we have conducted additional scans that did not reveal ongoing suspicious activity related to the incident,"
This incident marks yet another cybersecurity concern for public institutions in Minnesota. Notably, just a month earlier, the state’s Department of Education reported its own data breach following vulnerabilities associated with the MOVEit software. As cybersecurity threats grow increasingly pervasive, the university's commitment to safeguarding its data and supporting those affected will be paramount in the weeks and months ahead.