Security | News
U Delaware Hack Hits 72,000 Staffers
- By Dian Schaffhauser
The University of Delaware is attempting to make contact with 72,000 people whose information was vacuumed up during a recent server hacking. The university said that the cyber break-in took place on or around July 17, 2013 and was discovered by IT on July 22 during "routine systems maintenance." Campus representatives announced that the files taken included confidential personal information for current and past employees, including student employees.
U Delaware said the attack occurred when a hacker "took advantage of a vulnerability in software acquired from a vendor."
According to a local news report on DelawareOnline, the hacking occurred due to an unpatched version of Struts2 "that was used by the university on a server that hosted business functions." Struts2 is an Apache framework for creating "enterprise-ready Java Web applications." A number of recent releases have addressed security vulnerabilities. Developers using Struts 2 were "strongly advised" in a June community note to update existing Struts 2 applications to Struts 126.96.36.199 "immediately."
The reporting said the same server was used to host part of a Web site "that allows students to pay bills." The university hasn't said that any additional student information was stolen during the security event.
The university reported that it "took immediate corrective actions" and is working with the Federal Bureau of Investigation as well as security firm Mandiant to investigate the causes and scope of the attack.
The institution has sent notification letters to "more than 72,000 affected persons." It has also offered them free credit monitoring. About a third of those recipients also have active campus email accounts and have been sent email notifications as well.
School administrators have hired Kroll Advisory Solutions, which provides risk mitigation and response services to work with those affected by the breach.
Dian Schaffhauser is a senior contributing editor for 1105 Media's education publications THE Journal and Campus Technology. She can be reached at firstname.lastname@example.org or on Twitter @schaffhauser.