UCF to implement online safeguards as part of hacking case settlement
The University of Central Florida has agreed to spend an additional $1 million annually to protect students’ and employees’ personal information, according to a legal settlement reached with former students in the wake of a hacking that exposed 63,000 Social Security numbers.
UCF agreed to add three information security positions, designate a full-time internal senior information security auditor and tighten access to personal information, as part of the settlement filed in Orange Circuit Court late last year.
The FBI’s Jacksonville office investigated the incident, which became public in early 2016, but has not released information on how it happened.
Additionally, the university estimated one-time costs of $845,467 related to the changes, which also include using email technology that detects and neutralizes harmful internet links and attachments and adding technology to analyze and
report on unusual activity in the network.
A former student first sued the school in February 2016, right after news of the hacking became public.
With the number of highly publicized security breaches in recent years, institutions should know they need to take every possible step to protect employees’ and students’ data, said John Yanchunis, an attorney representing the plaintiffs. He described the lack of precautions at UCF as “simply inexcusable.”
“The warning bell was rung years ago,” Yanchunis said.
The five plaintiffs named in the suit will each receive $500, and the university will pay $64,200 for attorney fees and costs.
Because state laws limit damages to public entities at $300,000 per incident, Yanchunis said the suit focused on forcing UCF to improve its security practices. However, he said, other students and employees affected by the breach still have the right to sue the university for damages.
A number of other universities have been the targets of high-profile security breaches in recent years. Last year, Washington State University sent letters to 1 million people warning them their identities could be stolen after a hard drive containing names and Social Security numbers was taken. In 2016, a hacker accessed a Michigan State University database containing data on 400,000 current and former students, including social security numbers and student ID numbers.
UCF spokesman Chad Binette wrote in a statement that safeguarding personal information is of “utmost importance.”
“The terms of the settlement feature a number of measures that we have already taken to increase our information security staffing, technology and training,” Binette wrote. “This includes purchasing new forensic software, implementing multi-factor authentication for employees and increasing awareness about how to best protect personal information. We will continue to invest in enhancing information security.”
UCF wasn’t able to provide details about which measures the school took prior to the breach.
One of the former students named in the suit, Max Palombo, said after the breach occurred, several fraudulent credit cards were opened in his name, according to the suit. His credit score dropped and he was unable to activate credit monitoring as a result of the fraud notice placed on his profile.
Jeremiah Hughley, a former UCF student and former men’s basketball team manager, originally filed the suit in Orange County Court in 2016 seeking class-action status but later filed an amended lawsuit with four others joining his case, court records show.
UCF first realized there was a problem in early January 2016. Among those affected are about 600 current student-athletes, former student-athletes who last played sports in 2014-15, student staff managers for the teams and other related positions.
The rest are current and former employees, some of them students, who worked at UCF as far back as the 1980s. anmartin@ orlandosentinel.com or 407-420-5120