A US university renowned for its computer science programs has revealed that over one million current and former students and staff have had sensitive data accessed by an unauthorized third party.
Georgia Tech issued a brief note on Tuesday claiming that “unauthorized access to a web application” had allowed the individual to potentially steal data on 1.3m faculty, students, staff and student applications.
“The information illegally accessed by an unknown outside entity was located on a central database,” it added. “Georgia Tech’s cybersecurity team is conducting a thorough forensic investigation to determine precisely what information was extracted from the system, which may include names, addresses, social security numbers, and birth dates.”
The web app vulnerability in question has now been addressed after the university’s IT team discovered the incident at the end of last month, although it’s unclear how long the third party had access to the sensitive staff and student data.
The relevant educational authorities have been notified and more information is expected soon.
“We continue to investigate the extent of the data exposure and will share more information as it becomes available,” said Georgia Tech.
“We apologize for the potential impact on the individuals affected and our larger community. We are reviewing our security practices and protocols and will make every effort to ensure that this does not happen again.”
The incident could mean Georgia Tech is in breach of FERPA, the US privacy law covering student records, according to Mike Mason, general manager of cloud security at FairWarning.
“Learning institutions are incredibly rich in sensitive data for hackers,” he added. "This breach underscores the importance of monitoring cloud applications, and visibility at the application layer into who is uploading and downloading documents and other sensitive business information."