Security

Georgia Tech Breach Strikes Possible 1.3 Million

• By Dian Schaffhauser
• 04/17/19

Georgia Tech recently went public about a data breach — the second in less than a year — that could have exposed the personal information of up to 1.3 million people. The cause: a custom web application with a form that was vulnerable to SQL injection.

In mid-2018, Tech suffered data exposure when the university mistakenly sent personal details of almost 8,000 College of Computing students to fellow students as part of an invitation to a conference. The list was accidently attached to the e-mail.

The institution uncovered the latest unauthorized access on March 21, when developers for the school "noticed a significant performance impact" in one of its web applications (which has since been patched). From there, cyber criminals were able to gain access to a "central database."

The security team was able to trace the first of a series of unauthorized breaches to Dec. 14, 2018. By April 2, the institution had begun notifying those affected, including current and former faculty, students, staff and student applicants. The information available on the database included names, addresses, internal ID numbers, dates of birth and social security numbers. It didn't include financial information, health records, grades or research data.

Georgia Tech is working with forensic and data analysis firms, as well as its own police force and the FBI.

"We continue to investigate the extent of the data exposure and will share more information as it becomes available," the institute stated on its website. "We apologize for the potential impact on the individuals affected and our larger community. We are reviewing our security practices and protocols and will make every effort to ensure that this does not happen again."