U of M: Data breach may involve Social Security numbers, license and passport information
The University of Minnesota has released new details about a data breach investigation that began earlier this year.
As previously reported by 5 EYEWITNESS NEWS, the school announced on Aug. 22 that it had learned of a breach on July 21 that included records dating back to 1989.
On Thursday, a spokesperson for the university announced those records involved people who attended, worked or applied to be a student at the school, or if they were involved in university programs between 1989 and August 2021.
RELATED: U of M facing federal lawsuit over recent data breach
School officials said Thursday that the data the infiltrator received may include some individuals’ full names, addresses, phone numbers, Social Security numbers, driver’s license or passport information, university identification numbers, birthdate and demographic information, admissions applications, employment information, and details on affiliation with the university.
The spokesperson added the investigation revealed donations, medical treatment, passwords and credit card information weren’t accessed.
“I think that people should be very concerned about this,” said Mark Lanterman, chief technology officer of Computer Forensic Services.
Lanterman recommends people who might be affected by the data breach put a freeze on their credit reports.
“What’s on a credit application? Name, address, date of birth, Social Security number. Well there, now I think I have enough to commit fraud against you,” Lanterman said.
Specific information that may have been accessed depends on an individual’s affiliation with the University of Minnesota. Officials say the following are examples of data the infiltrator may have gathered:
- Prospective students and certain parent or guardian data: Information supplied in admissions or financial aid applications submitted directly to the University or through the standard Free Application for Federal Student Aid (FAFSA) form, including student and parent or guardian names, contact information, Social Security numbers, dates of birth, student high school and high school grade information, standardized test scores, demographic information, and family income.
- Students: Information related to the individual’s education, including student contact information and parent or guardian names and addresses, student email addresses, Social Security number, student ID number, date of birth, classes, grades, demographic information, insurance policy number, loan data, degree, and diploma year.
- Employees: Information related to the individual’s work, including name and address, email address, Social Security number, employee ID number, date of birth, driver’s license or identification card, and payroll information (but not bank account information).
- Others: Similar categories of information as described above, if provided by individuals with unpaid University appointments, those who performed work for the University, those who received taxable payments from the University, and University volunteers or spouses/partners of certain University administrators.
The University of Minnesota is currently in the process of notifying potentially affected individuals, saying e-mails will be sent to those the school has an address for. A spokesperson says the e-mail will come from an address called data-incident@notification.umn.edu, and information will also be published on the school’s website.
The school is offering potentially affected people 12 months of free credit and identity monitoring services through Kroll, according to a spokesperson for the school.
Additionally, people may request access to the university’s report on the facts and results of the investigation once it is complete by letting the dedicated call center know.
For more information and resources on the data breach, visit the University of Minnesota’s website.
RELATED: Minnesota lawmakers consider school cybersecurity funding
RELATED: Minneapolis Public Schools: Hacked data released on dark web