Sensitive financial and personal information on 80,000 UC Berkeley staff, students and vendors may have been exposed to hackers after they exploited an unpatched hole in a university financial app, it has been revealed.
The attackers struck in late December last year as university IT staff were in the process of patching the vulnerability in the Berkeley Financial System (BFS), according to an official Berkeley News report.
The BFS is a financial management app handling things like staff payments, student grants, and travel reimbursements.
As such, the breach has potentially affected half of all current students and 65% of employees, the report claimed.
That is: 57,000 current and former students; 8800 past and present employees; and 10,300 vendors who do business with the campus and therefore had their Social Security bank account numbers logged in the system.
The university said it doesn’t know for definitive if any of the 80,000 thought to be affected have had their details – potentially including Social Security or bank account details – stolen. However, as of last week it began informing them as a precaution.
As is usually the case, free credit monitoring and identity theft insurance will be offered – this time for one year – as well as other help to spot suspicious account activity.
“The security and privacy of the personal information provided to the university is of great importance to us,” said UC Berkeley CISO, Paul Rivers, in a statement. “We regret that this occurred and have taken additional measures to better safeguard that information.”
Rivers’ team apparently spotted the intrusion attempt within 24 hours of it happening and pulled the plug on any impacted servers, but they may not have been quick enough.
It’s not the first time the prestigious California university has been hit by a cyber-attack.
In April last year the university was forced to notify hundreds of students of a potential data breach after spotting an unauthorized access attempt to a campus web server managed by the Division of Equity and Inclusion.
Tripwire security researcher, Lane Thames, argued that universities are an increasingly popular target for cyber-criminals as a source not only of potentially lucrative IP but also personally identifiable information (PII).
“Universities and post-secondary educational institutions should not be using Social Security numbers for their students. School-specific identifiers should be used instead,” he explained.
“The Social Security Administration frowns upon use of Social Security numbers for school identity purposes, and the Family Educational Rights and Privacy Act (FERPA) provides guidance on the use of students' Social Security numbers. Universities that still utilize Social Security numbers for students should consider implementing a more modern approach based on their own internal identification system.”