UNC-Charlotte Data Breaches Expose 350,000 Social Security Numbers and Much More

Confidential data, including bank account and Social Security numbers for some 350,000 University of North Carolina-Charlotte students, staff and faculty, were accidentally exposed — some for almost 15 years — due to a system misconfiguration and incorrect access settings that made electronic data publicly available.

Social security numbersConfidential data, including bank account and Social Security numbers for some 350,000 University of North Carolina-Charlotte students, staff and faculty, were accidentally exposed — some for almost 15 years — due to a system misconfiguration and incorrect access settings that made electronic data publicly available.

The school on Wednesday released a statement on an investigation it launched in February after staff discovered the data breach. The investigation revealed two separate incidents exposed data such as names, addresses, Social Security numbers and financial account information provided during university transactions.

One incident involved misconfigurations and incorrect access settings made during a general university system upgrade that left data stored on the university’s H: drive exposed on the Internet from Nov. 9, 2011 to Jan. 31, 2012.

The second involved improperly stored sensitive data belonging to the school’s College of Engineering that allowed for unauthorized access from 1997 until February 2012.

The school said it immediately activated a security incident response plan that included bringing in a forensics team to conduct an in-depth investigation. It also partnered with an information security firm to find and remediate security vulnerabilities campus-wide.

Despite the extent of the exposure, school officials don’t believe any of the information was accessed improperly and have not seen evidence of identity theft. They have notified the victims and outlined standard steps they should take to protect themselves, such as monitoring accounts for suspicious activity and notifying the main credit bureaus and state’s Consumer Protection Division.

“The university has no reason to believe that any information from either incidents was inappropriately accessed or that information was used for identity theft or other crime,” according to a school news release.

UNC-Charlotte officials say they will continue to monitor their systems for unusual activity.

“The  University  consistently  utilizes  industry  standard  information  protections,  uses  leading  data  management vendors, and has dramatically increased its information protection capacity since the discovery of the exposures,” according to the press release. “Nonetheless, the University continues to review all aspects of its information security.”

Some security experts say the breach serves as a warning to better protect data regardless of whether it’s at rest or in transit. 

“This just goes to show how organizations who think they have their perimeters under control are easy victims of attackers if they are not protecting the data itself,” said Mark Bower, data protection expert and VP at Voltage Security. “It’s important to make a distinction here too – database or server level encryption isn’t likely to not stop attackers from getting the “gold” out of the database. Data at rest-only protection does practically nothing to remove the risk. Only a true data-centric encryption approach can turn that data gold into straw – foiling hackers without compromising the application’s business purpose.”

 

Suggested articles

Discussion

  • JJ on

    Until things like this stop happening, the "pundits" need to forget all about consumerization of IT.  Obviously there are still more important things to address than whether or not a VP can pull out his work-connected iPhone during a conference event.

  • JJ on

    Until things like this stop happening, the "pundits" need to forget all about consumerization of IT.  Obviously there are still more important things to address than whether or not a VP can pull out his work-connected iPhone during a conference event.

  • Anonymous on

    "...database or server level encryption isn’t likely to not stop attackers from getting the “gold” out of the database."  

    So, are they saying"...database or server level encryption *is* likely to stop attackers from getting the “gold” out of the database."?

  • Anonymous on

    Well, yet another security break due to misconfiguration. This loooks really getting out of hand. need to do more to have entrpise cleaned up from these operators' errors.

  • UNCC Engineering Grad on

    As a UNCC engineering school alumnus from 2002 thru 2006 I can say that they HAVE NOT notified all of the "victims".  To date I have received no direct communication from the University of this breach.  I only heard about it in the news and was informed of the engineering department breach by my father (a retired computer security and encryption specialist for over 20 yrs).  Be careful of what you read in press releases.

  • Ronda on

    Wow 15 years! Looks like they need to redo their security policies and work proactively to make sure UNC-Charlotte doesn't fall victim to this again.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.