University of Minnesota investigating a data breach, notified law enforcement

The University of Minnesota notified law enforcement as well as state and federal regulatory agencies about a potentially massive data breach a month ago, U officials confirmed Tuesday.

In a written statement in response to Star Tribune questions, spokesman Jake Ricker said that on July 21, the U "became aware that an unauthorized party claimed to possess sensitive data allegedly taken from the University's systems."

The U didn't immediately provide information about how it was alerted to the breach or its scope. A July 21 report from the Cyber Express, a news site, outlines a hacker's claims that they accessed some 7 million Social Security numbers at the university dating to 1989. The report said the hacker accessed the university's data warehouse to analyze the effects of affirmative action in the wake of a recent U.S. Supreme Court ruling that limits the consideration of race in college admissions. The report did not mention any demands of the U.

"First, you have to determine somebody claims something, but is there evidence that it actually is true?" U interim President Jeff Ettinger said Tuesday. He said the U is investing "fairly significant resources" to try to determine how many people's information was accessed "and precisely who."

"We have to know who to notify," he said.

Ricker said the university began an investigation and hired "outside global forensics professionals to help determine the validity of the party's claims, and to ensure the security of the University's systems."

Ricker said the university has been in regular contact with the FBI and will continue to cooperate in any active investigation. The "preliminary assessment" is that the accessed data is from 2021 and earlier.

Since late July, the university has taken steps to bolster its overall system security with multi-factor authentication and increased monitoring, Ricker said.

"The University has also run additional scans that did not reveal ongoing suspicious activity related to the incident," he wrote.

If sensitive data was accessed, the U pledged to notify those affected and help protect against misuse of their information as required by law, Ricker said. He said the university has also notified the U.S. Department of Education and state legislative auditor, as legally required.

The U.S. Department of Education didn't immediately release information Tuesday.

Minnesota Legislative Auditor Judy Randall said U officials notified her July 21 and she has been in regular contact with their internal auditor to learn more about their processes for protecting data, what lessons they're learning and what changes they might make.

"For now, we are letting them do their work to investigate what happened, the extent of it," Randall said.

The local FBI office didn't immediately respond to a request for comment.

Ricker said the "safety and privacy of all members of the University community are among the University's top priorities. The University investigates these situations immediately and fully, and will keep the community informed as additional, relevant information becomes available."