Breach, Data Security, Vulnerability Management

Third-party software hole exposes personal info University of Delaware workers

Tens of thousands of employees of the University of Delaware in Newark had their personal information compromised in an attack last month.

How many victims? More than 72,000 past and current employees, including student employees.

What type of personal information? Names, addresses, employee identification numbers and Social Security numbers.

What happened?  Hackers were able to obtain the information by taking advantage of a vulnerability in software acquired from a vendor. 

What was the response? The university took immediate action to contain the incident and contacted the FBI and Mandiant, a private computer security firm. School officials physically and electronically mailed letters to affected employees, offering them free credit services from Kroll Advisory Solutions. The university is working to improve its network security.

Details: The college became aware of the breach during routine systems maintenance on July 22. An investigation revealed the attack occurred around July 17. The attacker exploited a vulnerability in unnamed software obtained from a vendor, but reports indicate it was Apache Struts 2, an open-source solution for developing Java web applications.

Quote: “Although we have no evidence that any unauthorized individual or entity has actually used your personal information, we are bringing this data breach to your attention so that you can be alert to signs of any possible misuse of your personal identity now and in the immediate future,” Carl Jacobson, University of Delaware vice president for information technologies, wrote in a letter sent home to affected staff.

Source: University of Delaware, www.udel.edu, “IT security breach,” July 30, 2013.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.