Over 63,000 student and staff records exposed

Feb 6, 2016 22:15 GMT  ·  By

University of Central Florida (UCF) administration has admitted to a data breach incident that allowed an unknown assailant to access and steal the details of over 63,000 staff and faculty members and current and former students.

Officials announced the breach on Thursday, February 4, but they said they had known of it since January and had been collaborating with law enforcement and a security firm to investigate the incident.

The University stated the attacker had access to Social Security numbers (SSNs), but not credit card details, student grades, financial or medical records. Most of the leaked data seems to belong to students.

More precisely, the attacker had access to SSNs, first and last names, student ID numbers, the number of credit hours taken, the number of credit hours in progress, practiced sport, the time of their walk-on or recruitment, and UCF employee ID numbers (where applicable).

Student-athlete information was stolen

Right now, UCF says that the attacker managed to access details for two groups of students.

Thr first group includes information on current student-athletes that played for UCF in the 2014-15 NCAA season, along with some staff members and managers associated with the UCF Knights teams.

The second category comprises of details on current and former university employees from the OPS (Other Personal Services) employee group. This list includes graduate assistants, housing resident assistants, undergraduate student employees, adjunct faculty instructors, student government leaders, and some faculty members.

"Any business, organization or institution which keeps social security numbers, credit card information and other personal data online is a potential goldmine for the cybercriminal because they can get a massive amount of information in a very short period of time," Paul Jespersen, Vice President of Enterprise Business Development at Comodo, told Softpedia.

"Schools, hospitals and even governments can be at particular risk due to the likelihood of handling private information criminals would find attractive,” Mr. Jespersen also noted.

Here comes the class action lawsuit

Despite the fact that UCF seems to say in its press release that it followed everything by the book, even offering a free year of credit monitoring for all victims, ClickOrlando.com is reporting on a class action lawsuit filed by a former University of Central Florida student body president and member of UCF's Board of Trustees.

According to the lawsuit, the plaintiff is accusing UCF of knowing and hiding facts about the data breach, which actually took place in December 2015, not a month later, as University management is now alleging.

The plaintiff is also saying that one free year of credit card monitoring was not enough, and that UFC also violated FERPA (Family Educational Rights and Privacy Act).