University of Minnesota confirms data breach

The University of Minnesota confirmed this week that the sensitive personal information of students, faculty and employees was leaked in a data breach, following a report last month from security researchers.

On July 15, a hacker on a dark web forum claimed to have access to 7 million Social Security numbers after breaking into a data warehouse the school used for record storage. The hacker claimed to have found "basically all records the university has since they began digitizing in 1989.”

The attack was purportedly in response to the U.S. Supreme Court decision striking down Affirmative Action, and the hacker asked others to organize the stolen data based on race and admission test scores.

The dark web post was first reported by Cyber Express, which said it did not get a response from the school before publication on July 21.

The university acknowledged the posting for the first time this week, and a spokesperson told Recorded Future News that it began an investigation on July 21 — hiring an outside global forensics expert to help “determine the validity of the party’s claims, and to ensure the security of the University’s systems.”

“The preliminary assessment is that the data at issue is from 2021 and earlier,” the spokesperson said.

“To the extent any sensitive personal data was accessed, the University will notify affected individuals and provide resources to help protect against misuse of their information, as required by federal and state law, University policies, and in accordance with our obligations to the University community. The University has also notified state and federal regulatory agencies, as required by law.”

The spokesperson declined to answer further questions about why the data was only relevant to 2021 and earlier when the hacker made the claims last month.

The university said it has taken a number of steps since 2021 to better secure its systems and since it became aware of the breach it conducted “additional scans that did not reveal ongoing suspicious activity related to the incident.”

They noted that the investigation is ongoing and that they continue to work with law enforcement on the situation.

This is the latest data breach affecting a public institution in Minnesota after the state’s Department of Education announced in June that it was affected by the exploitation of the MOVEit software.