The University of Michigan says in a statement today that they suffered a data breach after hackers broke into its network in August and accessed systems with information belonging to students, applicants, alumni, donors, employees, patients, and research study participants.
Unauthorized access to the servers lasted between August 23-27, the university says, and the data exposed included personal, financial, and medical details.
An August cyberattack
“This notice is to inform you about an incident that involved unauthorized access to personal information maintained by the University of Michigan,” starts the data incident update from the university.
After detecting suspicious activity in August, the University of Michigan, isolated its entire campus network from the internet to minimize the impact.
Following a detailed analysis from “a dedicated review team,” the University believes that besides personal data, like an individual’s name, the threat actor also accessed medical and financial information.
For students, applicants, alumni, donors, employees, and contractors, the educational organization says that the following details were exposed:
- Social Security number
- driver’s license or other government-issued ID number
- financial account or payment card number
- health information
Data belonging to participants in research studies and patients of the University Health Service and School of Dentistry may have been impacted, too:
- demographic info (e.g., Social Security number, driver’s license or government-issued ID number)
- financial information (e.g., financial account or payment card number or health insurance information)
- University Health Service and School of Dentistry clinical information (e.g., medical record number or diagnosis or treatment or medication history)
- information related to participation in certain research studies
All individuals whose information was exposed during the breach have been informed of the incident. The letters were mailed today and may take up to five days to reach the destination.
“Out of an abundance of caution, we are offering individuals whose sensitive information may have been involved in this incident complimentary credit monitoring services” – University of Michigan
The University of Michigan disclosed the intrusion shortly after discovering it about a week later and forced a password reset for the accounts on its computer systems.
The educational institution is one of the oldest and largest in the United States, with an academic and administrative staff of more than 30,000 and about 51,000 students.
