University of Michigan warns that personal information was leaked during cyberattack

Troves of sensitive personal information from students, applicants, employees and others were leaked during an August cyberattack, University of Michigan said Monday.

In an update on the incident, school officials explained that even though they were able to contain the cyberattack by disconnecting the campus network from the internet, the hackers were still able to access some university systems from August 23 to August 27.

The university hired an incident response firm to assess the situation and determined that the hackers were able to access personal information relating to certain students and applicants, alumni and donors, employees and contractors, University Health Service and School of Dentistry patients, and research study participants.

For students, applicants, alumni, donors, employees and contractors, the information accessed included Social Security numbers, driver’s license numbers, government IDs, financial account and payment card numbers, as well as health information.

The hackers accessed that same information in addition to medical record numbers, diagnosis information, treatment data and medication history belonging to research study participants and University Health Service and School of Dentistry patients.

The school did not respond to requests for comment about how many people had their information accessed.

The university said it is still coordinating with law enforcement about the issue and mailed letters to everyone affected on October 23.

All victims are being offered free credit monitoring services for an undisclosed amount of time, and a call center is being created for victims who have questions.

“The investigation was comprehensive and determined that the unauthorized third party was able to access certain information, including information relating to certain members of our community,” said Chief Information Officer Ravi Pendse and Chief Information Security Officer Sol Bermann in a statement.

“We are currently in the process of notifying relevant individuals. We understand this news is difficult and we are committed to supporting every member of our community.”

The school’s more than 51,000 students were cut off from the internet for days right as the school year began after the cyberattack was discovered.

The school never said whether it was a ransomware attack and no ransomware gang has taken credit for the incident.

But ransomware gangs have increasingly targeted organizations in the state with brazen attacks, damaging several community colleges across Michigan earlier this year as well as one of the state’s largest healthcare systems three weeks ago.