Student SSNs exposed in University of Central Florida breach
UCF said it's reviewing its online systems and protocols after a data breach was discovered in January.
The University of Central Florida today publicly acknowledged a data breach in which the Social Security (SSN) numbers of 63,000 current and former students were illegally accessed.
In a statement posted on the Orlando, Fla.-based university website, UCF President John Hitt reveals that campus officials first discovered the breach in January 2016, immediately reporting the incident to law enforcement and hiring a digital forensics firm to help conduct an internal investigation.
Based on UCF's internal findings, those whose data was affected appear to be student-athletes and UCF teams' student support staff and/or student and faculty employees categorized as OPS, or Other Personal Services.This includes students enrolled in a work-study program, graduate assistants, housing resident assistants, student government leaders, adjunct faculty instructors and select faculty members.
The fact that the breach was limited to these two groups of people suggested that the hackers likely searched for weaknesses in the university's IT architecture and found vulnerable access points in systems specifically related to athletics and OPS employment, opined Clifford Neuman, director of the USC Center for Computer System Security at the University of Southern California. “The question is: why did they [the SSNs] need to be in those particular systems?” questioned Neuman in an interview with SCMagazine.com.
“Perhaps part of the problem is that these organizations are using Social Security numbers as unique identifiers for individuals on these systems,” instead of using something relatively innocuous like student ID numbers, Neuman speculated. While some programs like work-study might require SSNs for tax forms, universities should segregate such sensitive data in more secure back-end systems, Neuman recommended.
Aside from SSNs, stolen information included names, student and employee ID numbers, course credit hours, and some athletic background information (e.g. sports played and whether a collegiate player was a walk-on or recruited). Credit card data, financial and medical records and grades do not appear to be impacted. Still, hackers could use the Social Security Numbers to commit identity theft, or perhaps use other personal information for spear phishing schemes.
“Though the intruders may not have gained access to financial or medical files, with a Social Security number in hand, they are in position to commit financial fraud, medical identity theft, or worse,” said Adam Levin, Chairman and founder of data breach prevention firm IDT911, in an email to SC Magazine.
In his statement, President Hitt said UCF is “enhancing user account and password security and expanding campus-wide information security education and training. We also are conducting a thorough review of our online systems and protocols.” The university is also mailing notifications to individuals who may have been affected.
According to the Identity Theft Resource Center, as of Feb. 2, 2016 there were seven reported data breaches against educational institutions, including the University of Virginia and Southern New Hampshire University.
“I can say that most research universities, especially ones that have medical schools, are acutely aware of cybersecurity and the potential for breaches,” affirmed Eric Burger, Director of the Georgetown Center for Secure Communications at Georgetown University, in an email to SCMagazine.com. “A lot of that is driven by HIPPA on the medical side and a host of DoEd [U.S. Department of Education] restrictions covering student privacy issues.”
Comprised of 13 individual colleges, UCF is the U.S.'s second largest public university by total enrollment, with approximately 60,000 students from 140 countries.