Georgia Tech announced Tuesday that a central database was accessed by an unknown outside entity through a web application.
Photo: JOHN SPINK / JSPINK@AJC.COM
Photo: JOHN SPINK / JSPINK@AJC.COM

Data breach exposes up to 1.3M Georgia Tech faculty, students

It sounds a bit ironic: a data breach potentially affecting 1.3 million current and former students, faculty and staff members at Georgia Tech, the world renowned university with lauded computer science programs.

But it happened.

The school disclosed the breach, its second in less than a year, on Tuesday, saying it feared the exposed information included names, addresses, social security numbers and birth dates. Tech spokesman John Toon said officials at the school, which typically has around 30,000 students enrolled, learned in “late March” that a central database had been accessed by an unknown outside entity. 

Toon said Tech immediately corrected the application, but personal information was likely exposed. “Georgia Tech’s cybersecurity team is conducting a thorough forensic investigation to determine precisely what information was extracted from the system,” he said. 

The school is working to identify the individuals whose data was compromised and intends to contact them, Toon said. He didn’t say by when victims could expect to be notified.

The breach is reminiscent, but far larger, than one last July when students were furious after the university mistakenly emailed the personal information of nearly 8,000 College of Computing students to other students.

The information leaked in 2018 included student identification numbers, phone numbers, dates of birth, addresses, grade-point averages and nations of origins for those born in other countries. Social security numbers weren’t included, Tech officials said.

Nate Knauf, who’s studying computer science at Tech, told The Atlanta Journal-Constitution the latest breach was “incredibly disappointing.” 

He added: “Given our high rankings in computer science, this is simply inexcusable.”

Many questions remain unanswered in the breach, including how and when the breach was discovered; who committed it; where the 1.3 million estimate of affected parties came from; and what, if any, law enforcement agency is investigating.

Toon said he couldn’t yet offer that information. He did say the U.S. Department of Education and University System of Georgia have been notified.

While it may seem strange for a school that teaches cybersecurity to be hit twice in a year, schools like Tech aren’t uncommon targets as data hacks become increasingly commonplace.

“Academic institutions aren’t exactly new targets — they are actually big targets,” said Humayun Zafar, a professor in information security at Kennesaw State University. “At the end of the day the systems that are used across the board (for data retention) are similar.”

Such breaches have happened at universities across the U.S.: The University of TexasYale University, and in 2018, federal authorities indicted nine Iranians for allegedly hacking 144 American universities.

Then there are the hacks of municipalities, including Atlanta, banks, Equifax, big box retailers and even hospitals. Last year, Augusta University Health officials said they feared sensitive health and personal information of about 417,000 people may have been compromised.

Each attack can be different, with different motives and levels of success, and it’s too soon to say how the Tech hack played out. 

But Zafar said he suspects what happened at Tech was a so-called “zero day” attack, which is where a hacker find and pounces on a system vulnerability that the system’s owner isn’t aware of. It’s something like what could happen if a homeowner forgot leaving a spare key under the doormat. A crook can come along, find it and get in the house.

What tends to happen after zero day attacks, Zafar said, is the attacked victim recognizes the vulnerability and patches it so the issue won’t happen again. The homeowner moves the key.

But the crook has already been inside, and the damage must be assessed.

“We continue to investigate the extent of the data exposure and will share more information as it becomes available,” Mark Hoeting, the school’s vice president for information technology, said in an email to students. “We apologize for the potential impact on the individuals affected and our larger community. We are reviewing our security practices and protocols and will make every effort to ensure that this does not happen again.”

Zafar said Tech’s breach may cause the state’s other academic institutions to take a harder look at what can be done to prevent such attacks.

— Please return to AJC.com for updates. 

In other news: 

Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.

Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.