Three U.S. universities recently suffered data breaches that impacted a total of more than half a million people.
On April 30, 2015, UC Berkeley began notifying over 500 individuals that their Social Security numbers or other personal information may have been exposed when a university Web server was hacked in two separate incidents, first in December 2014 and again in February 2015.
The server, which was maintained by a unit within UC Berkeley’s Division of Equity and Inclusion, was used to store a variety of information, including family financial data submitted by students — which included Social Security numbers and bank account numbers.
Those affected include approximately 260 undergraduate students and some former students, as well as about 290 parents and other individuals. All those affected are being offered one year of free access to a credit monitoring service.
“When campus officials learned of the breach on March 14 they immediately removed the server from the network so that it could no longer be accessed,” the university said in a statement. “A digital forensics firm was brought in to investigate the matter and determine whether any personally identifiable information was compromised.”
UC Berkeley was previously breached in the fall of 2014, when approximately 1,600 people’s personal information (including 1,300 Social Security numbers and 300 credit card numbers) was accessed by hackers who compromised servers in the university’s Real Estate Division.
Earlier last month, Metropolitan State University officials announced that a data breach in December 2014, which was discovered in January 2015, likely exposed approximately 160,000 students’ personal information, of whom about 25,000 are current students.
The personal data exposed varied widely, but included name, birthdate, gender, race, ethnicity, country, home address, phone number, email address, GPA, credits, grades, registration, transfers, majors, and/or application information.
In 11,000 cases, the last four digits of students’ Social Security numbers were exposed. Those students are being notified by U.S. mail.
“We regret this incident and sincerely apologize to those impacted,” Metropolitan State interim president Devinder Malhotra said in a statement. “Since learning of this intrusion, our Information Technology team has disabled the vulnerability that permitted the breach and replaced the affected server. The university also completed additional security measures to minimize future security risks.”
And on April 3, 2015, Alabama’s Auburn University announced that about 370,000 current, former and prospective students’ personal information may have been exposed when a university server was mistakenly made accessible online between September 1, 2014 and March 2, 2015.
The personal information potentially exposed included names, addresses, email addresses, birthdates, Social Security numbers and academic information. All those affected are being offered two free years of access to credit monitoring and identity protection services.
“The exposure resulted from configuration issues with a new device installed to replace a broken server,” the university said in a statement. “After securing our server, we implemented additional network security measures.”
“Auburn takes this matter and the security of the personal information entrusted to us very seriously,” the university added. “We are conducting an extensive review of our data storage practices and policies and will continue to make adjustments and enhancements to improve our performance.”
Previous data security incidents at Auburn University include a data breach in late 2013 that exposed the personal information (including names and Social Security numbers) of 13,698 current and former students, faculty and staff; and a separate data breach in early 2013 in which an undisclosed number of alumni and donors’ names, Social Security numbers, mailing addresses, email addresses and phone numbers were mistakenly uploaded to a publicly accessible server.