Data hack at UCF compromises 63,000 Social Security numbers
About 63,000 Social Security numbers and names of former and currentUCFstudents and employees were stolen by hackers, officials disclosed Thursday, part of a growing cybersecurity threat faced by schools and other large institutions.
The FBI’s Jacksonville office, which is investigating the case with UCF Police and other agencies, said it has sent out notifications to all U.S. colleges “in an effort to identify other potential victims.” FBI officials would not elaborate.
UCF first realized there was a problem in early January but didn’t announce the hack publicly until nearly a month later as it worked with authorities and experts to determine the details of what happened, officials said.
Among those affected are about 600 current studentathletes, former student-athletes who last played sports in 2014-15, student staff managers for the teamsandother related positions.
The rest are current UCF employees as well as those who worked at UCF as far back as the1980s.
Those positions affected include undergraduate student employees (including those in work-study jobs); graduate assistants; housing resident assistants; adjunct faculty instructors; student government leaders and faculty members who were paid for teaching additional classes, according to the university.
The case reveals just how savvy hackers have become at stealing data and how such attacks are the new reality for schools, governments and others, said Von Welch, director of Indiana University’s Center for Applied Cybersecurity Research.
“It’s anextremelyhardsituation for folks like UCF to be in,” Welch said. “They have the large databases … All it takes is one mistake for hackers to exploit. If you’re anything less than perfect, these hacks can occur.”
Joel Hartman, who oversees the university’s information technology department, said it’s unclear who is responsible for the hack, although it likely was done by multiple individuals over time.
“All the information we have indicates there has been no attempt to use this information for identity theft or fraud or other financial means,” Hartman said, adding no credit card information or grades were stolen. Otherinformation, including student and employee ID numbers, also was compromised.
Those affected, a number almost the size as the city of Kissimmee, will be notified by letters that are expected to be mailed Friday.
A call-in phone center, where the wait time was up to 50 minutes on Thursday afternoon, also was rolled out to verify if people’s information has been compromised. The center, which can be reached at 877-752-5527, will be open from 9 a.m. to 9 p.m., Monday through Friday.
The university also launched a website to answer questions at www.ucf.edu/datasecurity.
People whose information was compromised will receive one year of free credit monitoring and identityprotection services.
Welch offered a nugget of good news, saying with large breaches the chances of being singled out is likely “pretty darn small.” He did recommend, however, that people freeze their credit so no one can take out credit cards or loans in theirnames.
“It’s a lot of people,” said Fernando Encarnacion, who graduated from UCF in August and was worried he might end up on the list of victims from his old student job.
He said it bothered him people will have to wait for the letters to arrive to determine if their private information is vulnerable.
“A day is a long time, let alone a couple of days,” the Orlando resident said. “I think it’s much more serious than the attention it’s actually getting.”
UCF first became aware that somebody accessed the administrative systems on Jan. 8. Andthen later, on Jan. 15, the school realized the data breach affected a larger group of people than initially thought, Hartman said.
The probe into details of what happenedwas finished Wednesday, he said when askedwhy the delay for notifying victims. Hartman declined to say how the school discovered the situation, citing the ongoing investigation.
“We have taken significant means to protect the datawe have,” Hartman said. “The fact someone is able to get access to it is a great concern to us.”
In general, a hacker can often get access into a database through what’s known as phishing, Welch said. An employee opens a fake email that sounds urgent and appears to be written by a boss.
“It’s whole goal is to trick an employee into logging into a fake server so they get the employer’s user name and information,” Welch said, adding from there, hackers break into the system and work their way to steal the database.
UCF officials would not confirm if thatwas the cause of the security breach.
School leaders said the school is taking steps to make sure a security data breach doesn’t happen again by enhancing user account info and password security.
“To ensure our vigilance, I have called for a thorough review of our online systems, policies and training to determine what improvements we can make in light of this recent incident,” UCF president JohnHitt said in anews release.
The university posted the release of the data breach on its website and emailed students.
As the news broke Thursday, people posted messages about their frustrations on social media. Some found dark humor in the situation.
“Also, I failed Biology and Trig HARD. Still want my identity? Good luck getting that off the transcript, ya thief,” Krista Welter, a UCF graduate from Kissimmee, wrote onTwitter.