University of Michigan Reveals Hackers Obtained Troves of Data in August Breach

The hackers behind the data breach the University of Michigan suffered in August made off with troves of data belonging to students, applicants, alumni, donors, employees and contractors, the university said in an update.

Until this week, U-M kept a tight lid on the details surrounding the breach, telling the media that its ongoing investigation was preventing it from sharing “anything that might compromise that important work.”

With the investigation now concluded, U-M can share more details of what happened in August.

“Based on our investigation, we have determined that an unauthorized third party was able to access certain University systems from August 23, 2023 to August 27, 2023,” according to an update issued Monday, Oct. 23.

“Based on this data analysis, we believe that the unauthorized third party was able to access personal information relating to certain students and applicants, alumni and donors, employees and contractors, University Health Service and School of Dentistry patients, and research study participants.”

The attackers managed to exfiltrate Social Security numbers, driver’s license or other government-issued ID numbers, financial account or payment card number, and/or health information belonging to students, applicants, alumni, donors, employees and contractors.

Also affected are research study participants and patients of the University Health Service and School of Dentistry.

Per the notice, the data compromised for this particular cohort includes: demographic information (e.g., Social Security number, driver’s license or government-issued ID number), financial information (e.g., financial account or payment card number or health insurance information), University Health Service and School of Dentistry clinical information (e.g., medical record number or diagnosis or treatment or medication history), and/or information related to participation in certain research studies.

The school is “continuing to work with third-party cybersecurity experts to take steps to harden our systems and emerge from this incident as a more secure community,” and is now emailing letters to everyone affected.

It advises everyone to remain vigilant for fraud and identity theft, and to report any suspicious or unusual activity to their bank.

The university is also offering complimentary credit monitoring services to those affected, “out of an abundance of caution.”

The incident bears the signs of a ransomware attack, yet no major ransomware operation has so far claimed responsibility, nor has anyone attempted to leak or sell the stolen data on the underground web.

As noted in our previous coverage, if this was indeed a targeted attack, the culprits may have simply aimed for disruption and bragging rights in hacking circles. Either way, the attack took quite a toll on the university.

Bitdefender Digital Identity Protection lets you instantly find out if your data has leaked online, what type of information was compromised, what risks you face, and whether your information is for sale on the dark web.

Bitdefender Identity Theft Protection covers damages and financial loss from identity theft, complete with identity theft restoration services, and insurance up to $2 million.