The University of South Carolina has started notifying 34,000 people with ties to its College of Education that their personal information might have been accessed in a computer intrusion discovered nearly three months ago.
The data-security breach is the largest of six that USC has reported since 2006. Almost 81,000 records belonging to USC students and employees have been exposed during the past six years.
“That’s a dreadful track record,” said Beth Given, director of the Privacy Rights Clearinghouse, a San Diego-based consumer rights group that tracks breaches.
The latest USC computer intrusion exposed the names, addresses and Social Security numbers of students, staff and researchers at the College of Education dating back to 2005, said Bill Hogue, USC’s vice president for information technology. No transcripts were accessed.
USC is unclear when the breach, which emanated from overseas, occurred. The hacking was discovered by an alert on June 6, the school said. The school’s security procedures were followed before the breach, Hogue said.
USC has found no evidence that the hacker or hackers accessed or used any information on the College of Education computer server, but school officials decided to send notices to everyone in the database so individuals can place fraud alerts to notify them of suspicious activity on their credit reports.
Consumer rights advocate Given said USC should offer to pay for credit-report monitoring for two years. Monitoring usually costs $10 to $20 a month, she said.
The school has hired Nashville-based Kroll Advisory Solutions to assist those affected for a year with posting fraud alerts and analyzing credit reports to detect problems, USC spokesman Wes Hickman said. He said he did not know if the cost of monitoring was included in the service.
Given also questioned why USC took 11 weeks to warn people about the breach, a period that would give criminals plenty of time to use the information for identity theft — to open credit cards or obtain a driver’s license.
“I question how they would know with 34,000 people that no one had their information accessed,” she said.
Hogue said USC officials made a judgment call, not wanting to be too alarmist until they could examine the severity of the breach and the information that was vulnerable.
“We favored being as accurate and comprehensive as possible,” he said. “If someone wants to take us to task (for the notification delay), I can understand.”
Hogue said school officials will examine whether to change when they tell those affected by any future breaches and they will ensure school officials understand how long they should keep records on computer servers.
The school is hit with an average of 280 attempts a day to hack or infect its computers — almost all generated by automated systems known as bots, Hogue said.
As many as 55,000 devices — including smartphones, tablets, laptops, desktops and servers — are connected to USC’s computer systems daily, he said.
“We’re not done with our investigation,” Hogue said.