Earlier this month, the Georgia Institute of Technology, better known as Georgia Tech, disclosed a data breach that exposed the personal information of 1.3 million individuals associated with the university.
Current and former faculty members, students, staff, and student applicants all may have been caught up in the breach, according to a statement from university spokesman John Toon. The compromised database included a wide array of personal information—including social security numbers, dates of birth, names, and addresses.
According to Toon, university IT officials discovered the breach in late March and took corrective action immediately, though the culprit and full extent of the damage are still unknown. The first unauthorized access occurred back in December 2018, meaning the database vulnerability existed for at least three months undetected.
How Did the Breach Happen?
Georgia Tech’s IT team says an unknown, outside entity gained unauthorized access to the university’s central database by exploiting a security vulnerability in its web application. The team became aware of the unauthorized access when it noticed a significant deterioration in the application’s performance, and launched an investigation.
"Application developers for the Institute noticed a significant performance impact in one of its web applications and began an investigation on March 21, 2019," says a note published on the university website detailing the incident. “Georgia Tech’s cybersecurity team is conducting a thorough forensic investigation to determine precisely what information was extracted from the system.”
Georgia Tech has since patched the vulnerability and started notifying potentially impacted individuals via email.
The university is also "coordinating with consumer reporting agencies and the University System of Georgia to determine what protections will be provided" to the affected individuals, according to the incident website. It also notified the U.S. Department of Education.
Still, many questions remain unanswered, including who committed the breach, what information was actually taken, and whether law enforcement will get involved.
Schools as Prime Targets
“Academic institutions are a growing target for attacks given the personally identifiable information they collect,” said Ben Goodman, VP of global strategy and innovation at ForgeRock. It is imperative for large institutions like Georgia Tech to maintain security due to the amount and type of information they possess.
Georgia Tech may take some comfort knowing that it’s not alone. Similar incidents have occurred at universities across the U.S., including the University of Texas, Yale, and Butler. Just last year, federal authorities indicted nine Iranians for allegedly hacking 144 American universities.
Alarmingly, this is actually the second data-security issue Georgia Tech has suffered in the just last year. In the previous incident, which occurred in July of 2018, the university mistakenly emailed the personal information of nearly 8,000 College of Computing students to other students.
Though the previous incident was much smaller in scale, back-to-back data incidents represent a black eye for a school revered for its computer science program and considered a leader in cybersecurity education. As recently as January 2017, Georgia Governor Nathan Deal announced the state would invest $60 million for a cybersecurity hub at the school, which would combine expertise in academia, private industry, and government to establish statewide cybersecurity standards.
Spokesman Toon added: “Given our high rankings in computer science, this is simply inexcusable.”
LogicGate Can Help You Prepare for a Data Breach
It just goes to show: if it can happen at an academic institution world-renowned for its computer science program, it can happen anywhere. That’s why the best plan is to prepare for a data breach as if it’s going to happen. That doesn’t mean it’s easy or foolproof: at any organization, preparing data breach response plans, automating processes, and keeping key personnel up-to-date are no small tasks. When a crisis hits is not the time for strategy and planning—you want your security team focused on executing your response plans. LogicGate’s IT Security Risk Management module empowers risk professionals and entire organizations to prepare for and respond to data breaches, ultimately reducing potential risks and costs, and enabling your business to focus on business.
For more on IT Risk Management, check out LogicGate's eBook below on Building a Cyber-Savvy Culture: A Guide to Unlocking the Power of IT Security as a Business Enabler.