Indianapolis-based Butler University has warned more than 160,000 students, alumni, faculty, staff, and past applicants that their personal information was exposed during a data breach in 2013.
"We are writing to notify you of an incident that may affect the security of your personal information. Butler University is providing this notice to ensure that you are aware of the incident and so that you may take steps to monitor and safeguard your identity, financial accounts, and credit report, should you feel it is appropriate to do so," the school's notification letter explains.
The incident came to the school's attention after law enforcement officials in California, conducting an identity theft investigation, discovered a flash drive on one of their suspects that contained personal information of Butler employees.
Butler hired outside investigators, who determined that the school's network was compromised in November 2013, and remained in an exposed state until May of this year. Additional investigation into the matter showed that files containing names, dates of birth, Social Security numbers, and bank account details were also compromised.
"Unfortunately, we do think it's a remote hacking. The suspect that's been arrested has no affiliation with Butler University," Michael Kaltenmark, a university spokesperson, told local NBC affiliate, WTHR.
The investigation is ongoing, but the school says they've patched the vulnerable systems that enabled the intrusion.
Moreover, the school is offering one year of credit monitoring those those impacted, and has setup a hotline for additional information (888-414-8021).
"Higher education continues to struggle with protecting personally identifiable information (PII) and in some cases the integrity of their digital grade book and record management systems," J.J. Thompson, the CEO of Rook Security, told Salted Hash in a statement.
The reason for that, Thompson noted, is because most forensics firms do not have the capability to monitor for advanced IOC's (such as those identified here).
In addition, Thompson suggested that organizations focused on higher education need to follow some basic pro-active steps to avoid similar situations, which include - Identifying where sensitive data and PII is stored; confirming the architecture and controls in place to prevent (or detect) breaches to that data are designed appropriately; and ensuring that existing controls are operating effectively and can do what they are designed to do.
"Not only is it bad news if a breach is detected by a third party - as in the case with Butler - but it's especially bad if it’s not able to be detected in-house and instead is identified through the police or FBI," Thompson added.
"These breaches are just the tip of the iceberg. In other higher education incidents we have been involved with; it is common for us to find additional compromises that have gone on undetected for years before we were brought in to help contain known compromises such as the incident that Butler is dealing with now."