The Georgia Institute of Technology, well known as Georgia Tech, has confirmed a data breach that has exposed personal information of 1.3 million current and former faculty members, students, staff and student applicants.
In a brief note published Tuesday, Georgia Tech says an unknown outside entity gained “unauthorized access” to its web application and accessed the University’s central database by exploiting a vulnerability in the web app.
Georgia Tech traced the first unauthorized access to its system to December 14, 2018, though it’s unclear how long the unknown attacker(s) had access to the university database containing sensitive students and staff information.
The database contained names, addresses, social security numbers, internal identification numbers, and date of birth of current and former students, faculty and staff, and student applicants.
However, the University has launched a forensic investigation to determine the full extent of the breach.
“The information illegally accessed by an unknown outside entity was located on a central database. Georgia Tech’s cybersecurity team is conducting a thorough forensic investigation to determine precisely what information was extracted from the system, which may include names, addresses, social security numbers, and birth dates,” the note published on the University website reads.
The University’s IT team discovered the web app vulnerability at the end of last month when it noticed a significant performance impact.
“Application developers for the Institute noticed a significant performance impact in one of its web applications and began an investigation on March 21, 2019,” Georgia Tech says in the FAQs detailing the incident.
“During this investigation, it was determined the performance issue was the result of a security incident.”
Georgia Tech has since patched the vulnerability and already started notifying potentially impacted individuals via email.
The University is also “coordinating with consumer reporting agencies and the University System of Georgia to determine what protections will be provided” to the affected individuals.
Georgia Tech has also notified the U.S. Department of Education and University System of Georgia (USG) and is expected to release more information soon.
“We continue to investigate the extent of the data exposure and will share more information as it becomes available. We apologize for the potential impact on the individuals affected and our larger community. We are reviewing our security practices and protocols and will make every effort to ensure that this does not happen again,” the University said.