Georgia Tech announced yesterday that a vulnerability in a web application allowed an attacker to gain access to the personal information of up to 1.3 million students, college applications, staff, and faculty members.
On March 21st, George Tech developers were investigating a performance issue in one of their web applications and discovered that an unauthorized third-party had gained access to the server. Upon further investigation, it was determined that the intruders gained access on December 14th, 2018 through a vulnerability in a web application.
“Application developers for the Institute noticed a significant performance impact in one of its web applications and began an investigation on March 21, 2019,” stated Georgia Tech’s announcement. “During this investigation it was determined the performance issue was the result of a security incident.”
Through this vulnerability, the intruders were able to gain access to a database that contained the personal information of up to 1.3 million students, applicants, and staff members. This information included a person’s name, addresses, social security numbers, and birth dates.
“The information illegally accessed by an unknown outside entity was located on a central database. Georgia Tech’s cybersecurity team is conducting a thorough forensic investigation to determine precisely what information was extracted from the system, which may include names, addresses, social security numbers, and birth dates.”
While the vulnerability in the web application has since been patched, Georgia Tech has not disclosed what was causing the performance issue that led them to discover the breach. It is possible that the attackers were utilizing the server for further attacks on external servers or had installed malware, such as mining software that utilized server’s resources and impacted performance.
The university has already contacted the U.S. Department of Education and will be notifying those who were affected.
Second breach in a year
To make matters worse, this is the second security incident that Georgia Tech was affected by in the past year.
According to DataBreaches.net, a staff member accidentally mass emailed a spreadsheet to students that contained the personal data of 8,000 people. This data included student’s ID numbers, Home address, Visa info, GPA, Academic standing, and Hours earned.
Date: April 09, 2019
Source: Bleeping Computer