University of Central Florida hack compromises 63,000 Social Security numbers
UCF posted the following statement today:
An intrusion into the University of Central Florida’s computer network has resulted in unauthorized access to certain personal information of some current and former students and employees.
After UCF discovered the unauthorized access in January, university officials immediately reported the incident to law enforcement and launched an internal investigation with the assistance of a national digital forensics firm.
To date, the investigation has determined unauthorized access to Social Security numbers — but not credit card information, financial records, medical records or grades — for approximately 63,000 current and former students, staff and faculty members.
“Safeguarding your personal information is of the utmost importance at UCF,” President John C. Hitt said in an email to the campus community this morning. “To ensure our vigilance, I have called for a thorough review of our online systems, policies and training to determine what improvements we can make in light of this recent incident.
“Every day, people and groups attempt to illegally access secure data from institutions around the world. Higher education institutions are popular targets. UCF will continue to work diligently to protect this important information from those who would break the law to get it.”
UCF, which is notifying those impacted by the incident via letters that should be received the week of Feb. 8, is offering one year of free credit monitoring and identity-protection services for affected individuals.
UCF has established a web page – www.ucf.edu/datasecurity – with details about the incident, including the groups of current and former students and employees involved and recommendations for those impacted. UCF also has established a call center, available at 877-752-5527 from 9 a.m. to 9 p.m. Monday through Friday. Spanish-speaking operators also are available.
UCF has already begun taking actions to enhance user account and password security and strengthen data security processes and protocols on the university’s computer network. The university also will expand information-security education and training.
The FAQ on the incident contains two important pieces of information:
Who is impacted?
Based on our investigation, we believe the intrusion into the university’s computer network resulted in unauthorized access to certain personal information for two groups.
One group includes some current student-athletes, as well as some former student-athletes who last played for UCF in 2014-15. This group also includes some student staff members, such as managers, supporting UCF teams.
The second group includes current and former university employees in a category known as OPS, or Other Personal Services. Examples of positions in this category include undergraduate student employees (including those in work-study positions), graduate assistants, housing resident assistants, adjunct faculty instructors, student government leaders and faculty members who have been paid for dual compensation/overload (for example, teaching additional classes). If you are not sure of your employment category, you can check with your supervisor or your department’s human resources representative. Employees who previously held but do not currently hold OPS positions may be included.
We are notifying those impacted by the incident via letters that should be received the week of February 8.
What specific information was involved?
For the group of student-athletes and student staff members supporting those teams, the information included first and last names, Social Security numbers, student ID numbers, sport, whether they were walk-ons or recruited, and number of credit hours taken and in progress.
For the group of employees, the information included first and last names, Social Security numbers and UCF-issued Employee Identification Numbers.