The Georgia Institute of Technology, commonly referred to as Georgia Tech, has suffered yet another data breach. This time, the number of affected individuals may have reached 1.3 million.
What is known about the breach?
“Application developers for the Institute noticed a significant performance impact in one of its web applications and began an investigation on March 21, 2019. During this investigation it was determined the performance issue was the result of a security incident,” Georgia Tech explained.
“The Institute traced the first unauthorized access to its system to Dec. 14, 2018. We have determined that an outside party leveraged a vulnerability in a web application.”
The vulnerability has since been patched.
The attackers gained access to a central database containing names, addresses, internal indentification numbers, date of birth, and social security numbers of current and former students, faculty and staff, and student applicants.
How many individuals may have been affected is yet to be determined.
“Georgia Tech’s cybersecurity team is conducting a thorough forensic investigation to determine precisely what information was extracted from the system,” the Institute noted.
“We continue to investigate the extent of the data exposure and will share more information as it becomes available. We apologize for the potential impact on the individuals affected and our larger community. We are reviewing our security practices and protocols and will make every effort to ensure that this does not happen again.”
Comments from the infosec industry
“Academic institutions are a growing target for attacks given the personally identifiable information they collect for tens of thousands of students, employees, donors and partners. This data will quickly make its way to the dark web where it will be used for identity theft, synthetic identity creation and robotic account takeovers,” noted Ben Goodman, VP of global strategy and innovation, ForgeRock.
Bitglass CTO Anurag Kahol pointed out that the stolen info can allow malicious actors to take out loans, intercept tax refunds, use victims’ airline miles, and open utility accounts.
“Schools are responsible for protecting the data that they collect from staff and students (which can include protected health information) as well as faculty research. On Georgia Tech’s website, it boasts of 173 industry collaborators and 62 U.S. patents issued in 2017 alone,” he added.
“If the university doesn’t tighten its security controls, this kind of proprietary data is likely to be placed at risk. This is particularly true now that organizations are storing and sharing data in the cloud more than ever before.”
Brian Johnson, CEO and co-founder of DivvyCloud, says that it could only be a matter of days before affected individuals begin to file class-action lawsuits against Georgia Tech for failing to comply with privacy regulations.
“The financial implications of this breach are likely to be significant—not only in terms of lawsuits and fees for failing to comply with data privacy regulations, but also in terms of damaged reputation. Students were outraged at a similar breach in July 2018 when the university mistakenly shared the personal information of about 8,000 students in the College of Computing with other students at the school. This latest breach will surely add fuel to the fire,” he told Help Net Security.
“When organizations are entrusted with highly confidential information, such as Social Security numbers, it becomes the organization’s responsibility to protect it. Georgia Tech’s incident should serve as a wake-up call for other colleges to leverage automated security solutions. By implementing seamless and continuous policy enforcement, organizations can provide a framework for successfully reducing risk and maintaining compliance across an entire IT environment. These types of tools are especially important for large organizations, like prominent universities, that have complex and dispersed IT environments, spread over multiple campuses and individual colleges/departments.”