The Social Security numbers of nearly 30,000 people who enrolled at Iowa State University over a 17-year period were exposed in a data breach, school officials announced.
Five information technology servers on the Ames campus were hacked, and those servers contained the Social Security numbers of people who took certain classes at the school between 1995 and 2012, ISU officials said in a news release. There is no evidence that any of the personal files were accessed, the school said, and the records didn’t contain student financial information.
Senior Vice President and Provost Jonathan Wickert said an unknown person or persons hacked the servers and installed software that helps create the virtual currency bitcoin. Officials believe it’s affected other networks outside of the school that use similar technology.
The hack was discovered in late February, and the servers were repaired and fixed by early March, Wickert said. Officials discovered the exposed data on March 17. Since then, the school has been analyzing its entire network to search for any other breach. It has also been collecting the names and contact information of the affected individuals and reaching out to a credit monitoring firm.
“We don’t believe our students’ personal information was a target in this incident, but it was exposed,” Wickert said.
The servers also held university ID numbers for nearly 19,000 people. Officials say the numbers’ exposure has no financial threat, but the school is reaching out to those individuals as well.
School officials said that law enforcement has been notified, and individuals possibly affected will be notified by mail this week.
Those whose Social Security numbers were exposed include some people who enrolled in classes for computer science, world languages and cultures, and materials science and engineering. ISU will offer them free credit monitoring in case of identity theft and fraud.
The university says it has decommissioned and destroyed the compromised servers out of an abundance of caution. Similar servers have received software updates and are no longer accessible through the Internet. The university is also rolling out other security measures.
“Iowa State has always taken information security very seriously, and we will continue to take every possible action to safeguard the personal information of those who learn and work here,” Wickert said. “We have well-regarded cyber defense experts here who not only protect university data, but educate others on how to prevent computer attacks.
“Unfortunately, Iowa State is not immune to hacking, but we are disappointed and sorry for the inconvenience this incident may cause.”