In a written statement in response to Star Tribune questions, spokesman Jake Ricker said that on July 21, the university "became aware that an unauthorized party claimed to possess sensitive data allegedly taken from the university's systems."
The university didn't immediately provide information about how it was alerted to the breach or the the scope. A July 21 report from the Cyber Express, a news site, outlines a hacker's claims that they had accessed some 7 million Social Security numbers at the university dating to 1989. The report said the hacker accessed the university's data warehouse to analyze the effects of affirmative action in the wake of a recent U.S. Supreme Court ruling that limits the consideration of race in college admissions.
"First, you have to determine somebody claims something, but is there evidence that it actually is true?" U Interim President Jeff Ettinger said Tuesday. He said the university is investing "fairly significant resources" to try to determine how many people's information was accessed "and precisely who."
"We have to know who to notify," he said.
Ricker said the university began an investigation and hired "outside global forensics professionals to help determine the validity of the party's claims, and to ensure the security of the university's systems."
Ricker said the university has been in regular contact with the FBI and will continue to cooperate in any active investigation. The "preliminary assessment" is that the accessed data is from 2021 and earlier.
Since late July, the university has taken steps bolster its overall system security with multi-factor authentication and increased monitoring, Ricker said.
"The university has also run additional scans that did not reveal ongoing suspicious activity related to the incident," he wrote.
If sensitive data was accessed, the university pledged to notify those affected and help protect against misuse of their information as required by law, Ricker said. As required by law, he said the university has also notified the U.S. Department of Education and state legislative auditor.
The U.S. Department of Education didn't immediately release information Tuesday.
Minnesota Legislative Auditor Judy Randall said university officials notified her July 21 and she has been in regular contact with their internal auditor to learn more about their processes for protecting data, what lessons they're learning and what changes they might make in the future.
"For now, we are letting them do their work to investigate what happened, the extent of it," Randall said.
A spokesperson for the local FBI office didn't immediately respond to a request for comment.
Ricker said the "safety and privacy of all members of the university community are among the university's top priorities. The university investigates these situations immediately and fully, and will keep the community informed as additional, relevant information becomes available."
©2023 StarTribune. Distributed by Tribune Content Agency, LLC.
