The data breach occurred through an unspecified web application and was therefore able to extract names, addresses, Social Security numbers and birth dates. The irony is that Georgia Tech is a world-renowned university with lauded computer science programs.
According to Patch.com, the U.S. Department of Education and University System of Georgia have been notified. Officials indicate that those whose data was exposed will be contacted as soon as possible regarding available credit monitoring services.
Students received an email from the Georgia Tech’s vice president of information technology explaining the breach. One student tweeted in response: “Uh oh… and then it happened. Security breach at @GeorgiaTech potentially affecting 1.3 million users! Investigation in progress.#breach #securityvulnerability #cybersecurity #infosec #hacking pic.twitter.com/19Ln5cyQb7” (quoted by WSB Radio).
Commenting on the data breach, Brian Johnson, CEO and co-founder, DivvyCloud, tells Digital Journal that action is likely to follow: “Much like Yale’s disclosure of its data breach last year that it suffered between 2008 and 2009, it could only be a matter of days before affected individuals begin to file class-action lawsuits against Georgia Tech for failing to comply with privacy regulations.”
He also notes that things will be costly: “The financial implications of this breach are likely to be significant—not only in terms of lawsuits and fees for failing to comply with data privacy regulations, but also in terms of damaged reputation. Students were outraged at a similar breach in July 2018 when the university mistakenly shared the personal information of about 8,000 students in the College of Computing with other students at the school. This latest breach will surely add fuel to the fire.”
In terms of lessons to be learned, he notes: “Georgia Tech’s incident should serve as a wake-up call for other colleges to leverage automated security solutions. By implementing seamless and continuous policy enforcement, organizations can provide a framework for successfully reducing risk and maintaining compliance across an entire IT environment. These types of tools are especially important for large organizations.”
Also weighing in is Jonathan Bensen, CISO and senior director of product management, Balbix. He takes a look at Georgia Tech’s history with cybersecurity: “Unfortunately for them, this is the second year in a row that Georgia Tech has suffered a data breach. In 2018 nearly 8,000 student records were exposed, and this time more than 1 million students, faculty and staff were affected.”
He points out: “It seems the university did not learn from last year’s blunder and is paying the price with an even heftier data breach. Higher education institutions, like Georgia Tech, must implement a more proactive approach to security and leverage tools that can actually predict when and where a breach is most likely to occur so that appropriate remediation can be applied before damage is done.”
Given that Academic institutions are a growing target for attacks given the personally identifiable information, universities need to put stronger measures in place.