A vulnerable web app may have compromised the personal information of 1.3 million students, alumni and employees at Georgia Institute of Technology, the institution announced on Wednesday.
The data breach was detected in March, but it is believed to have started in December 2018, giving an intruder plenty of time to access the database and extract information. This may have affected some critical details, including names, addresses, Social Security numbers and birth dates.
Because they collected personally identifiable information and student records, academic institutions are a top target — hackers can make millions selling the data on the dark web. It’s somewhat unexpected that Georgia Tech, a large institution focused on computer science and cybersecurity innovation, has suffered such a basic breach not once but twice in recent months.
In the first, in 2018, the information of some 8,000 students was accidentally emailed to the wrong person. But the bigger shock is that, in 2017, the state of Georgia committed to investing $60 million in cyber training, so at least in theory its security should have been bulletproofed to protect proprietary data.
“The U.S. Department of Education and University System of Georgia have been notified, and those whose data was exposed will be contacted as soon as possible regarding available credit monitoring services,” the school said.
The cybersecurity team at Georgia Tech is investigating the extent of the breach and other online vulnerabilities, but no details have been released regarding the web application that caused it.