Butler University officials have informed more than 160,000 students, faculty, staff and alumni that their personal information may have been breached, including birth dates, social security numbers and bank account information.
Those affected will receive a letter detailing the breach, which came to light after California officials last month contacted Butler about an identity-theft suspect in custody who had personal information belonging to university employees.
Butler spokesman Michael Kaltenmark says that prompted university officials to act.
“We immediately contacted those employees launched an internal investigation, then we also retained the services of a third-party computer expert, which really helped us figure out the breach and correct the issue,” Kaltenmark says.
Kaltenmark says additional investigation led university officials to believe even more affiliates may have had their information accessed, the approximate number being 163,000.
The university thinks the breach happened between last November and May of this year, a window of about six months.
Kim Milford is the executive director of REN-ISAC, an information sharing and analysis center that focuses on university cybersecurity.
She says that while it may seem strange that a hacker could access vital personal information on a university network without detection, the truth is that hackers are experts at covering their tracks.
“Once they have access to a system, they have access to maybe the logs on that system so they can erase what they did on that system,” Milford says. “And we’re always playing catch up. So they find one way to hide their tracks, and we’re like ‘here’s how we counteract that’ and then they’ll figure out another one.”
Butler is offering a year of free credit-monitoring services for those affected by the breach.