[BreachExchange] Data breach exposes up to 1.3M Georgia Tech faculty, students

[Destry Winant]

https://www.ajc.com/news/breaking-news/breaking-data-breach-exposes-georgia-tech-faculty-students/zAUUNWy5hoHQ8bNvMxcsWL/

It sounds a bit ironic: a data breach potentially affecting 1.3
million current and former students, faculty and staff members at
Georgia Tech, the world renowned university with lauded computer
science programs.

But it happened.

The school disclosed the breach, its second in less than a year, on
Tuesday, saying it feared the exposed information included names,
addresses, social security numbers and birth dates. Tech spokesman
John Toon said officials at the school, which typically has around
30,000 students enrolled, learned in “late March” that a central
database had been accessed by an unknown outside entity.

Toon said Tech immediately corrected the application, but personal
information was likely exposed. “Georgia Tech’s cybersecurity team is
conducting a thorough forensic investigation to determine precisely
what information was extracted from the system,” he said.

The school is working to identify the individuals whose data was
compromised and intends to contact them, Toon said. He didn’t say by
when victims could expect to be notified.

The breach is reminiscent, but far larger, than one last July when
students were furious after the university mistakenly emailed the
personal information of nearly 8,000 College of Computing students to
other students.

The information leaked in 2018 included student identification
numbers, phone numbers, dates of birth, addresses, grade-point
averages and nations of origins for those born in other countries.
Social security numbers weren’t included, Tech officials said.

Nate Knauf, who’s studying computer science at Tech, told The Atlanta
Journal-Constitution the latest breach was “incredibly disappointing.”

He added: “Given our high rankings in computer science, this is simply
inexcusable.”

Many questions remain unanswered in the breach, including how and when
the breach was discovered; who committed it; where the 1.3 million
estimate of affected parties came from; and what, if any, law
enforcement agency is investigating.

Toon said he couldn’t yet offer that information. He did say the U.S.
Department of Education and University System of Georgia have been
notified.

While it may seem strange for a school that teaches cybersecurity to
be hit twice in a year, schools like Tech aren’t uncommon targets as
data hacks become increasingly commonplace.

“Academic institutions aren’t exactly new targets — they are actually
big targets,” said Humayun Zafar, a professor in information security
at Kennesaw State University. “At the end of the day the systems that
are used across the board (for data retention) are similar.”

Such breaches have happened at universities across the U.S.: The
University of Texas, Yale University, and in 2018, federal authorities
indicted nine Iranians for allegedly hacking 144 American
universities.

Then there are the hacks of municipalities, including Atlanta, banks,
Equifax, big box retailers and even hospitals. Last year, Augusta
University Health officials said they feared sensitive health and
personal information of about 417,000 people may have been
compromised.

Each attack can be different, with different motives and levels of
success, and it’s too soon to say how the Tech hack played out.

But Zafar said he suspects what happened at Tech was a so-called “zero
day” attack, which is where a hacker find and pounces on a system
vulnerability that the system’s owner isn’t aware of. It’s something
like what could happen if a homeowner forgot leaving a spare key under
the doormat. A crook can come along, find it and get in the house.

What tends to happen after zero day attacks, Zafar said, is the
attacked victim recognizes the vulnerability and patches it so the
issue won’t happen again. The homeowner moves the key.

But the crook has already been inside, and the damage must be assessed.

“We continue to investigate the extent of the data exposure and will
share more information as it becomes available,” Mark Hoeting, the
school’s vice president for information technology, said in an email
to students. “We apologize for the potential impact on the individuals
affected and our larger community. We are reviewing our security
practices and protocols and will make every effort to ensure that this
does not happen again.”

Zafar said Tech’s breach may cause the state’s other academic
institutions to take a harder look at what can be done to prevent such
attacks.