What happened in the July 2013 cyberattack at UD?

What happened?
On July 22, 2013, the University of Delaware discovered a cyber security breach during routine systems maintenance.

The University of Delaware has notified the campus community that files were taken that include confidential personal information of current and past employees, including student employees. A criminal attack on one of the University’s systems took advantage of a vulnerability in software acquired from a vendor.

The University has sent notification letters to more than 74,000 affected persons and offered them free credit monitoring. Approximately one-third have active UD email accounts and will have received an email notification as well.

Who is affected?
Our investigation has concluded that the breach exposed information about 72,000 current and past employees—including student employees—and fewer than 2,000 other people who received a payment from the University.
What information did the files contain?
Information in the compromised files includes names, addresses of record, Social Security numbers and UD IDs (employee identification numbers).
When did this happen?
The cyberattack occurred on or about July 17, 2013.
How did this happen?
The University of Delaware has concluded its investigation into the July data security breach. UD engaged a leading data security firm to assist in the investigation, and has also reported this incident to the FBI.

Because the FBI investigation is ongoing, we cannot provide detailed information on what happened. But the UD investigation has concluded that one University maintained system was subject to a criminal attack that exploited a vulnerability in software provided to UD by a vendor.

Several dozen other companies, agencies, and organizations have also been subjected to attacks taking advantage of the same software vulnerability.

Who is responsible for this breach?
The University, our security consultant, and the FBI have not yet identified an individual hacker or group of hackers responsible for this criminal intrusion. It appears that the cyberattack came from outside the United States.

The University of Delaware takes information security very seriously. Before our forensic investigation was completed, we began to strengthen our defenses against future cyberattacks.

Who is going to cover costs involved?
The University’s priority is to protect those who may be at risk due to this cyberattack by providing credit monitoring services. UD will be providing these services at no cost to you.

Additionally, UD is employing a leading data security firm to complete a forensic investigation of the incident to ensure a thorough evaluation of how this breach happened and the most secure path going forward to protect against future attacks.

UD is not passing the costs incurred for the investigation or credit monitoring services to any UD constituency.

Are attacks like these a trend in higher education?
According to an article in the July 16, 2013, New York Times, many large research universities across the country have been subjected to attacks over the last days and weeks. Like most of the other universities subject to these cyber incidents, UD has been working within the parameters of industry best practices to secure our systems.

The incident at the University of Delaware is neither unique nor the largest security breach in higher education. The University is doing everything it can to help you monitor the risk to your personal information.