A hack at the University of Central Florida (UCF) caused 63,000 social security numbers to be leaked—this includes current and former students, as well as employees. On February 4, officials revealed that the hackers were part of a mounting threat that other big institutions and schools have been struggling with. The Jacksonville, Fla. FBI office has taken over the case in conjunction with UCF police. Now, all colleges in the US have been notified “in an effort to identify other potential victims.”
The issue was first noticed in January, but the official hack announcement was kept mum for nearly a month. Authorities say the details were trying to be quietly worked out without causing alarm. Those hacked include 600 student athletes who were active from 2014-present. Former students and employees who were hacked go as far back as the 80s. Every type of employee was targeted, including student employees (work-study), housing assistants, graduate assistants, faculty members, and student government workers.
The New Hackers
This massive hack is indicative of how sophisticated today’s cybercriminals have become. Stealing data from schools and government institutions used to be considered a major challenge. However, the Indiana University Center for Applied Cybersecurity Research employee, Von Welch, says, “They (schools) have the large databases…all it takes is one mistake for hackers to exploit. If you’re anything less than perfect, these hacks can occur.”
Many times, it’s a simple oversight that leads to such vulnerabilities. For instance, choosing a basic shared hosting plan instead of VPS (virtual private server) hosting, or failing to change passwords. Currently, the manager of UCF’s IT department, Joel Hartman, said there’s no clue how the hackers got in. However, there seems to be multiple hackers involved. “All the information we have indicates there has been no attempt to use this information for identity theft or fraud or other financial means.” The good news is that credit card data and grades were not stolen.
UCF says everyone who was impacted will receive a letter in the mail. A special call center has been set up so current and former students/employees can find out if their data was compromised, but call wait times stretched up to 50 minutes in the hours following the announcement. For those who are victims, they will receive a free year of credit monitoring as well as ID protection services.
According to Welch, massive breaches like this do come with a silver lining. It’s pretty rare that any one person will be singled out, but it’s still a good idea to freeze your credit just in case. UCF has told authorities that they first knew someone had gotten into their system on January 8, but it wasn’t until January 15 that they realized just how big the breach was. Nobody, including authorities, has elaborated on why it took several days beyond that realization to notify victims.