University Takes 11 Weeks to Alert 34,000 About Data Breach
CREDIT: University of South Carolina Board of Trustees
The University of South Carolina is just now (Aug. 22) letting students and employees know about a data breach that occurred almost three months ago.
Since 2006, USC has announced six data breaches affecting about 80,000 records. This one, which impacts the College of Education, is the largest.
The university is in the process of alerting 34,000 people that their personal information — including names, addresses and Social Security numbers — may have been compromised. Students, staff and researchers who were associated with the college as far back as 2005 may be affected.
USC cannot pinpoint when the hackers gained access, but said that an alert on June 6 brought the issue to their attention.
Why then, did it take the university nearly three months to alert anyone?
According to the Columbia, S.C., newspaper The State, Bill Hogue, USC's vice president for information technology, said the university didn't want to scare anyone before it knew exactly what had happened and the extent of the damage.
"We favored being as accurate and comprehensive as possible," Hogue said. "If someone wants to take us to task (for the notification delay), I can understand."
Many might do so. Security experts say that time is one of the most precious tools in a hacker's arsenal.
Once your personal information falls into the wrong hands, it only takes a matter of minutes — not months — for criminals to begin using your identity, accessing your other personal accounts and destroying your data.
Just ask Mat Honan, a writer for Wired who watched helplessly as all of the data from his computer, phone and tablet were wiped clean in 15 minutes by a remote hacker who had gained access to his Apple account.
Local television station WIS-TV said the university was sending notifications by way of snail-mail and was advising those impacted to place fraud alerts on their accounts. USC has also hired Kroll Advisory Solutions to assist college affiliates in preventing fraudulent activity.