University of Michigan discloses details of August data breach.
N2K logoOct 25, 2023

Locking down a major data incident around Ann Arbor.

University of Michigan discloses details of August data breach.

The University of Michigan has released the results of its investigation, as they stand at present, into the data breach the university sustained in August.

Data breach discovered at the beginning of the academic year.

On August 23rd the university noticed "suspicious activity" in the campus network. They "took quick and decisive action to contain the incident, including proactively disconnecting the campus network from the internet." Investigation proceeded along with mitigation, and the university concluded that an "unauthorized third party was able to access certain University systems from August 23, 2023 to August 27, 2023."

The nature and extent of the data exposed.

Personal data on students, applicants, alumni, donors, employees, contractors, University Health Service and School of Dentistry patients, and participants in research studies were exposed. Some 230,000 people associated with the university may have information at risk, and are receiving notification letters.

The specific data elements involved include, for all except patients and research study participants, "Social Security number, driver’s license or other government-issued ID number, financial account or payment card number, and/or health information." Patients and research participants may have had the following information exposed: "Demographic information (e.g., Social Security number, driver’s license or government-issued ID number), financial information (e.g., financial account or payment card number or health insurance information), University Health Service and School of Dentistry clinical information (e.g., medical record number or diagnosis or treatment or medication history), and/or information related to participation in certain research studies."

The university is offering support to potential victims of data theft that includes advice on best practices, law enforcement points of contact, and free credit monitoring services. Michigan's Attorney General has also established a site offering advice to those affected by the incident.

Universities remain attractive targets for cybercriminals.

The large number of people affected by the incident and the value of the data at risk make it obvious why universities remain attractive targets for cybercriminals.

James McQuiggan, security awareness advocate at KnowBe4, highlighted this attractiveness in comments on the incident. “Universities and other educational institutions continue to be target-rich environments for cybercriminals mainly due to the number of personal information about the thousands of students and hundreds of faculty members that can be stolen. This data is like oil for cybercriminals as they can sell it off or leverage it for other attacks," McQuiggan wrote in emailed notes. "While security programs work to reduce the risk of an attack, organizations need to be prepared to respond to attacks and include the proper communication plans internally and externally when these attacks occur.” 

Sean Deuby, Principal Technologist at Semperis, applauded the university on the way it handled the investigation and disclosure of the intrusion into its networks. "Kudos to University of Michigan administrators for their transparency in providing details about the scope of an August data breach that exposed sensitive data on its students, faculty, donors, alumni and patients," Deuby wrote. "At the time of the breach university officials took quick action and disconnected its entire network down to cut off external access and limit data exfiltration indicating the potential severity of what they discovered."

It's difficult to secure networks and data to which so many people have access. Social engineering attacks often afford an initial point of entry. "In general, institutions of higher education are prime targets because they store valuable personally identifiable information on students, faculty, administrators and alumni. And as the digital footprints at universities expand, entry points to sensitive data also increase. While only university officials know how the hackers gained access, it’s not unreasonable to assume that an identity compromise from a phishing attack provided initial access, with unsuspecting students or faculty members possibly clicking on links in an email and downloading malicious software."

Deuby concluded, "While cyberattacks that expose sensitive data are jarring, defenders can make their organizations so difficult to compromise that adversaries look for other companies to attack. Organizations should regularly conduct security awareness training, adopt an around the clock threat hunting program, monitor for unauthorized changes occurring in their Active Directory environment which threat actors use in most attacks - and have real time visibility to changes to elevated network accounts and groups."