University of Delaware is the latest of the high-learning institutions in the US to have been hit with a cyber attack that resulted in a data breach.
According to a notification posted by the University administration, the names, addresses, Social Security numbers and employee identification numbers (UD IDs) of some 72,000 current and past employees have been compromised.
“The cyberattack occurred on or about July 17, 2013,” the University shared on its IT Security Response website, and they discovered it on July 22 during routine systems maintenance.
In the notification they shared that the attacker(s) managed to breach one of the University’s systems by taking advantage of a vulnerability in unnamed software acquired from a vendor.
Delaware Online reported that the software in question was Struts 2, an open-source web application framework for creating Java web applications, which the University used on one of its servers that hosted business functions.
The same server also apparently hosts a payment system for students, but the investigation into the breach has so far not discovered that personal and/or financial information belonging to students was compromised.
The University has, naturally, notified the FBI of the breach, and is working with them and cybersecurity firm Mandiant to discover the extent of the breach and to shore up their defenses against future ones. They have also shared that “several dozen other companies, agencies, and organizations have also been subjected to attacks taking advantage of the same software vulnerability.”
The University has already sent notification letters to all who were affected, complete with instructions on how to enroll in the three-year-long credit monitoring program by Kroll Advisory Solutions which has been paid for by the University.
“The University will not contact you and ask to confirm any of your personal information. If an unknown person contacts you and claims that he or she can help you if you would just confirm your personal information, do not surrender any information. No one from the University, Kroll Advisory Solutions or any other reputable organization will contact you to request your personal information,” they also warned.