ROCHESTER, N.Y. — The FBI is working with the University of Rochester and an outside data forensic firm to investigate a data breach disclosed by the school last week.
According to a statement issued by the school on June 2, the data breach resulted from a software vulnerability in a product provided by a third-party file transfer company and has impacted approximately 2,500 organizations worldwide. A university spokesperson said it messaged all students and employees on Friday to inform them of the breach.
“At this time, we believe faculty, staff, and students could be impacted, but we do not yet know the full scope of the impact to University community members or which personal data was accessed, as the investigation is ongoing,” the statement reads. “We will provide updates as soon as available.”
The school urges faculty, staff, students, and dependents to take steps to protect their personal information, such as changing passwords, implementing two-factor or multi-factor authentication, and checking credit card and bank records. It also recommends anyone who notices suspicious activity on their personal or campus-related accounts contact financial institutions and credit monitoring agencies.
Data breaches continue to impact nearly all business sectors. According to a 2022 report from the Identity Theft Resource Center, there were 1,802 data breaches worldwide exposing the data of tens of millions.
Experian, a credit-rating agency, reported last fall there were 5.8 million instances of fraud complaints in 2021 — up nearly one-fifth from the year prior. Additionally, financial losses increased 77% to $6.1 billion, and consumer identity theft complaints totaled around 1.43 million.
Cybercriminals are also changing and escalating their tactics. In Dec. 2022, a hacker group that gained access to Knox College’s student data began emailing students directly with their ransom demands. The message claimed the hackers had personal data, including Social Security numbers, medical records, and psychological assessments. The group said it would sell the stolen information online if demands weren’t met.
On March 7, a ransomware gang released stolen data from Minneapolis Public Schools (MPS) after it refused to pay a ransom. Many of the files outlined campus rape cases, child abuse inquiries, student mental health crises, and suspension reports. The data breach also exposed campus security map documents, including specific locations of campus surveillance cameras.