The University of Minnesota plans to email 2 million former students, applicants, staff and more people whose information may have been leaked in a data breach it discovered in July of this year. A hacker claims to have accessed more than seven million Social Security numbers, according to the tech news site The Cyber Express.
Cybersecurity specialist Ian Coldwater joined MPR News host Cathy Wurzer to talk about what steps those whose information may have been leaked can take to protect against identity theft.
For the full conversation, click play on the audio player above or read the transcript below. The transcript has been lightly edited for clarity.
How does something like this happen?
Well, it could happen in any number of ways. The hacker in this case said that they accessed the database of student records from the time that the U of M started digitizing them in 1989. And there’s various ways that a hacker could get into a database like this, but basically, I think from the back end, it happens because there weren’t sufficient security measures to keep the hackers out.
MPR News is supported by Members. Gifts from individuals power everything you find here. Make a gift of any amount today to become a Member!
Are hacks becoming more common in higher education?
You know, it’s hard to say, I don’t have the statistics on that. But, it has been happening a lot. An exhibit got put in recently in a lawsuit, regarding the MOVEit vulnerability that listed over 900 schools and organizations that were affected by this particular software. This included a list of schools in Minnesota, as well as Harvard, Stanford and various organizations and schools that we’ve all heard of.
So it does happen, it’s been happening a lot this year, because there have been a couple of particularly high-profile vulnerabilities that have been affecting schools a lot.
How many people use File Transfer software? How concerning is that?
It’s very difficult to entirely prevent the possibility of being hacked, because there’s just so many things that can go wrong. But some things that institutions can do in situations like this to try to prevent the scale of the breach from becoming bigger is limit who can access sensitive information and to segregate information on networks.
This way, if somebody does get into the network, they can’t see absolutely everything and also encrypt the data on those databases and on those networks.
What are some of the risks these folks are facing?
It’s a lot of people, I mean, honestly, myself included. Some of the risks that people are facing in a breach like this include identity theft, because there’s a lot of personal identifiable information that can come out in a breach like this.
Some things that people can do to try to protect themselves in this situation can be found on identitytheft.gov. People need to keep an eye out for their financial information, for their internet accounts, stuff like that.
People’s threat models can kind of vary depending on their personal situation. For example, for people who have tried to escape from domestic abuse, having their personal information out there might carry a different kind of threat.
Know what kind of risks you are facing personally. And if you’re facing that kind of threat, maybe take different kinds of safety measures. But for most folks, it’s mostly an identity and potentially fraud risk.
Do you have to wait until you get the email from the U to start doing something?
Here’s the thing — a lot of people are not going to get an email from this breach because the only people who are getting emails about it are people who the U of M has on file already. So I wouldn’t assume necessarily that if you don’t see an email from this, that you haven’t been affected if you are on this list of people.
Such as people who have applied as a student, former students, former employees, contractors, people who have volunteered anyone who’s been affiliated or involved with the U.
If you are one of those people, I would assume that you have been affected, whether or not you receive that email. You don’t have to wait for the email in order to start taking measures to protect yourself, you can start doing that now.
How would you start that process?
To protect against identity theft, there’s a really good practical list of steps listed on identitytheft.gov that people can check. For protecting your internet accounts, one thing you can do is change your passwords. Although it doesn’t really say that passwords have been breached here, as far as I know.
But a couple of good things to do generally to protect your internet accounts are to not reuse passwords. Don’t use the same passwords on different accounts and use a password manager such as 1Password or Bitdefender.
Another thing that you can do that’s very useful is use multifactor authentication so that if somebody gets into your accounts, if they try to log into your account, then it has to make you prove that you’re you in order to log in.
And so if a hacker gets in, and then needs to have that extra step, it prevents them from being able to get in further.
We don’t know if donors have been affected. It’s mostly students, former students and employees, right?
It’s prospective students, students, employees and then it says others — individuals with unpaid university appointments, those who performed work for the university, those who received taxable payments from the university and university volunteers or spouses or partners of certain university administrators.
If you’re any of those people, expect that it’s possible that you might have been affected by this.
Are we seeing more individuals affected by data breaches going to court? Have you been able to determine that?
It’s hard to say because there are, frankly, just so many data breaches. It does happen. I don’t know if it happens universally, but as more data breaches happen it would not shock me if you started seeing more of that kind of thing happen.
You had asked a second ago if it is just a matter of identity theft, rather than financial fraud and, well, it’s a little hard to say because identity theft can lead to financial fraud. Like if somebody has enough of your identity information to be able to open up an account on your behalf with your name and info, that can be a financial issue too.
I would just say keep an eye out on your financial accounts, on your credit reports and if anything funny happens, if there are any transactions you didn’t make accounts, logins that weren’t you — don’t wait, jump on that, report it, try to shut it down because you want to nip it in the bud while you can.
Subscribe to the Minnesota Now podcast on Apple Podcasts, Google Podcasts, Spotify or wherever you get your podcasts.
We attempt to make transcripts for Minnesota Now available the next business day after a broadcast. When ready they will appear here.
