A breach impacting the University of Chicago's Biological Sciences Division (BSD) database has exposed the personal information belonging to current and former employees, in addition to students.

How many victims? Undisclosed.

What type of personal information? Names, Social Security numbers, employee identification numbers, employee usernames, sex, marital status, and physical and email addresses.

What happened? A database belonging to the BSD was compromised via an “external” cyber attack, exposing the sensitive information of individuals affiliated with the school's Department of Medicine.

What was the response? Letters have been sent to individuals impacted by the breach which offer one year of free credit monitoring services. The university has enlisted the help of a forensics firm to investigate the breach.

Details: The university learned of the cyber intrusion on January 22. Those impacted by the breach were notified on February 19. There is currently no knowledge regarding the “nature and scope” of the attack. No financial information was involved in the breach.

Quote: “We have corrected the vulnerability and taken steps to prevent similar problems from occurring in the future,” according to a notification letter signed by Kenneth Goodell, executive administrator of the Department of Medicine, and Everett Vokes, chairman of the Department of Medicine.

Source: http://ago.vermont.gov/, “University of Chicago Breach Notice to Consumer,” Feb. 19, 2015.


The University of Chicago has not returned an SCMagazine.com request for comment at the time of this report.

Update: According to an emailed statement to SCMagazine.com by a university spokesman, the intruders “gained unauthorized access to records of 2,024 current and former employees and students in the Department of Medicine.”

According to DataBreaches.net, who first reported on the incident, the Carbonic hacker collective took credit for the data breach and said they were able to perform the hack by leveraging an SQLi vulnerability. Additionally, they indicated that they accessed a MSSQL Server that included salary and patient data, but did not extract or publish that information. DataBreaches.net alerted the university of the hack on Jan. 22, and pointed school officials to partial data dumps on the hackers' site and Pastebin.