The University of California, Berkeley recently began notifying approximately 1,600 people that their personal information may have been accessed when servers in the university's Real Estate Division were breached by hackers.
The breach was first discovered in September 2014, after which the affected servers were removed from the network, and UC Berkeley began reviewing the data stored on the servers to look for personal information.
"Because the compromised servers contained such a large volume of data, an outside firm was brought in to lead the search for any personally identifiable information on the servers," the university said in a statement.
The search for personally identifiable information concluded the week of November 17, 2014, and notification letters were mailed starting December 12, 2014. All those affected are being offered one free year of credit protection services from ID Experts.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Those affected include current and former UC Berkeley employees, as well as employees of companies that work with the Real Estate Division. The data, which covers dates ranging from the early 1990s to May 2014, includes approximately 1,300 Social Security numbers and 300 credit card numbers.
"We understand that it’s disturbing to learn that your Social Security number or credit card number may have been exposed to hackers, and we truly regret that this has occurred," UC Berkeley interim chief security officer Paul Rivers said in a statement. "We are encouraging those affected to take advantage of the free credit monitoring service that the university is offering to those impacted by the breach."
While the servers that were breached weren't devoted to storing personal data, they did hold some files containing personal information, such as expense reimbursements and payments to outside consultants.
"As part of the follow-up, we have taken protective measures including review of all data involved in the breach as well as review and enhancement of information security controls in the Real Estate Division," the notification letter [PDF] states.
In a similar but unrelated breach, California's Point Loma Nazarene University recently began notifying an undisclosed number of people that their names, Social Security numbers, birthdates, credit card information, user names, passwords and driver's license numbers may have been accessed following phishing attacks.
The phishing attacks provided hackers with access to five Point Loma employees' email accounts between October 7 and October 20, 2014. It's not clear from the university's notification letter [PDF] why such a wide range of personal information was accessible via the breached email accounts.
According to a recent BitSight report, U.S. colleges and universities are at even greater risk of security breaches than companies in retail and healthcare.
"University cyber security is a complex game that involves juggling a high volume of open network access points, diverse technology needs, multiple compliance and regulatory measures and the protection of high value information, such as student and faculty data or even sensitive intellectual property," the BitSight report states. "It is no wonder that these organizations often drop the ball."