The University of Delaware has notified the campus community that files were taken that include confidential personal information of current and past employees, including student employees. A criminal attack on one of the University’s systems took advantage of a vulnerability in software acquired from a vendor.
The University has sent notification letters to more than 74,000 affected persons and offered them free credit monitoring. Approximately one-third have active UD email accounts and will have received an email notification as well.
Because the FBI investigation is ongoing, we cannot provide detailed information on what happened. But the UD investigation has concluded that one University maintained system was subject to a criminal attack that exploited a vulnerability in software provided to UD by a vendor.
Several dozen other companies, agencies, and organizations have also been subjected to attacks taking advantage of the same software vulnerability.
The University of Delaware takes information security very seriously. Before our forensic investigation was completed, we began to strengthen our defenses against future cyberattacks.
Additionally, UD is employing a leading data security firm to complete a forensic investigation of the incident to ensure a thorough evaluation of how this breach happened and the most secure path going forward to protect against future attacks.
UD is not passing the costs incurred for the investigation or credit monitoring services to any UD constituency.
The incident at the University of Delaware is neither unique nor the largest security breach in higher education. The University is doing everything it can to help you monitor the risk to your personal information.