Confidential data, including bank account and Social Security numbers for some 350,000 University of North Carolina-Charlotte students, staff and faculty, were accidentally exposed — some for almost 15 years — due to a system misconfiguration and incorrect access settings that made electronic data publicly available.
The school on Wednesday released a statement on an investigation it launched in February after staff discovered the data breach. The investigation revealed two separate incidents exposed data such as names, addresses, Social Security numbers and financial account information provided during university transactions.
One incident involved misconfigurations and incorrect access settings made during a general university system upgrade that left data stored on the university’s H: drive exposed on the Internet from Nov. 9, 2011 to Jan. 31, 2012.
The second involved improperly stored sensitive data belonging to the school’s College of Engineering that allowed for unauthorized access from 1997 until February 2012.
The school said it immediately activated a security incident response plan that included bringing in a forensics team to conduct an in-depth investigation. It also partnered with an information security firm to find and remediate security vulnerabilities campus-wide.
Despite the extent of the exposure, school officials don’t believe any of the information was accessed improperly and have not seen evidence of identity theft. They have notified the victims and outlined standard steps they should take to protect themselves, such as monitoring accounts for suspicious activity and notifying the main credit bureaus and state’s Consumer Protection Division.
“The university has no reason to believe that any information from either incidents was inappropriately accessed or that information was used for identity theft or other crime,” according to a school news release.
UNC-Charlotte officials say they will continue to monitor their systems for unusual activity.
“The University consistently utilizes industry standard information protections, uses leading data management vendors, and has dramatically increased its information protection capacity since the discovery of the exposures,” according to the press release. “Nonetheless, the University continues to review all aspects of its information security.”
Some security experts say the breach serves as a warning to better protect data regardless of whether it’s at rest or in transit.
“This just goes to show how organizations who think they have their perimeters under control are easy victims of attackers if they are not protecting the data itself,” said Mark Bower, data protection expert and VP at Voltage Security. “It’s important to make a distinction here too – database or server level encryption isn’t likely to not stop attackers from getting the “gold” out of the database. Data at rest-only protection does practically nothing to remove the risk. Only a true data-centric encryption approach can turn that data gold into straw – foiling hackers without compromising the application’s business purpose.”