Now the university has started notifying 34,000 students and associates that their personal details may have been accessed. This latest breach, the largest of six over the last six years, seems to have been an external hack from overseas. No more is yet know; or at least no more has been yet disclosed. The breach was discovered on 6 June, but the university is unclear when it actually occurred.
Bill Hogue, USC’s vice president for information technology, told South Carolina’s The State newspaper, that university officials decided to examine the severity of the breach before going public. “We favored being as accurate and comprehensive as possible,” he said. “If someone wants to take us to task (for the notification delay), I can understand.”
According to The State, the intrusion exposed the names, addresses and Social Security numbers of students, staff and researchers at the College of Education dating back to 2005. The gap between discovery and notification worries the Office of Inadequate Security blog authors. “When did they send these notifications? And were they, as seems possible, storing Social Security Numbers on the server? If so, I’d like to know why they were still storing/using SSN’s.”
Beth Given, director of the Privacy Rights Clearinghouse, is also worried about the notification delay. Eleven weeks, she points out, gives ample time for identity theft via any stolen details. The university says it has found no evidence that the hacker or hackers actually accessed personal data, but Given said “I question how they would know with 34,000 people that no one had their information accessed.”
The university has taken precautionary measures by employing Kroll Advisory Solutions to assist anyone affected.