Personal information and over 160,000 University of Wisconsin System records were stolen during a cyberattack that affected the National Student Clearinghouse, according to emails obtained by The Daily Cardinal.
It’s part of a massive global cyberattack affecting governments, businesses and educational institutions that tech reporters at The Verge called the “biggest data theft” of 2023.
While many affected institutions — Michigan State University (MSU) and the University of Illinois, for example — quickly issued student- and public-facing statements on the breach, pointing to lengthy time periods for victim identification, the UW System didn’t follow suit.
UW System spokesperson Mark Pitsch told the Cardinal the UW System was “entirely dependent upon the NSC” for information about the breach and chose not to make an immediate public announcement.
“Rather than prematurely announcing that we were affected and unnecessarily alarming tens of thousands of students, we waited to make decisions based on facts as we always do,” Pitsch said in an email. ”It took several weeks for NSC to provide all of the details, and at no point in the process did we believe the incident reached a level to merit a widespread breach notification message.”
At the University of Illinois System, a cybersecurity official gave the same time-based justification for why the university chose to put out a public disclosure within days of receiving notification from the NSC.
Although the NSC “committed” to notifying affected students, “it was clear that it would take a number of weeks for that information to be compiled and distributed,” said Joe Barnes, Chief Digital Risk Officer for the University of Illinois System.
Barnes said that’s why the University of Illinois System chose to put forth a public breach notification within a week of being informed. An MSU spokesperson offered a similar justification over email for the school’s immediate notification, saying the university “did not know just how many students or employees’ information could have been compromised” when it was first notified.
UW's decision raised questions among two information security experts the Cardinal spoke to who were familiar with the wider incident. While they said state guidelines and other best practices suggest notifying the public about data breaches is usually a safer option, they also said those notifications have limited effectiveness.
Given the finer details of the data breach, the experts acknowledged universities were in a tough spot. However, their biggest worry was that third-party data managers are prime targets for attacks like the one UW and other universities suffered.
“We’re in Equifax breach territory here,” said Dorothea Salo, a UW-Madison Information School professor. “This is huge.”
The decision to notify was complicated
The data breach, orchestrated by Russia-based cybercriminal organization CL0P on May 28, affected over 90 million individuals and 2,700 organizations, according to a running tally by antivirus company Emsisoft. Dozens of class action lawsuits spawned from the breaches, according to Recorded Future, a cybersecurity company.
Some harvested records contained personally identifiable information: names, addresses, financial information, social security numbers and other details that have long-lasting impacts on financial and personal well-being if made public.
According to a Sept. 6 email sent to UW System administrators, including UW System President Jay Rothman, 163,828 UW System records were included in the “critical” May 28 breach. The UW System was notified on June 28.
The number of individuals affected and records breached was unknown at the time, according to Harrison.
Throughout the coming months, the UW System stayed quiet about the breach despite public announcements from other universities and university systems.
Affected UW campuses — UW La Crosse, Milwaukee, Oshkosh, Platteville, Stevens Point, Stout, Whitewater and Green Bay — were eventually named in NSC reports submitted Sept. 22 to the California attorney general’s office. Harrison also named UW-Madison, Superior and River Falls as affected campuses in his June email.
Emails indicate the UW System closed correspondence with the NSC on Sept. 6.
“We are ultimately very fortunate that NSC was able to narrow the scope from over 160,000 records down to just 16 that were categorized as triggering a legal requirement for notification,” Jeff Harrison, UW System director of cyber defense, wrote in the email.
An unspecified number of records couldn’t be matched to a current address and had “no reasonable method of discerning address,” Harrison said.
“Ultimately, we were pleased to learn that only a very small number of persons associated with the UWs had enough personal information exposed by this third-party breach to merit a notification,” Pitsch said. He did not provide a specific number of individuals affected.
Some experts said issuing public notification prior to knowing the exact victims of an attack isn’t always a clear-cut decision.
Without more information on the extent of a breach and the information compromised, it’s hard to determine whether public disclosure is the best option, said Salo.
“If it was a situation where it wasn't a whole lot of people, and it wasn't a whole lot of sensitive data, then I completely understand not making a big deal out of it,” Salo said.
Still, she added that the ramifications of the hack hit throughout the higher education sphere, which is becoming increasingly embattled with cybersecurity threats.
“At that point, I think it might be time, for the sake of trust, to do a little more communicating than they have,” Salo said. “It has to have been a difficult decision for the folks at [the UW] System trying to figure out what to do.”
It’s unclear whether state law required public disclosure
In Wisconsin, neither the UW System nor the Board of Regents has a specific policy dictating when public disclosure of data breaches must occur.
Wisconsin state statutes require organizations, including businesses and state bodies, to inform affected individuals they have not communicated with before within 45 days of a data breach if a risk of identity theft is present.
If an address cannot be determined, an organization must communicate the breach in a manner “reasonably calculated to provide notice,” such as a newspaper or television statement.
The UW System did not answer a question asking what method it took to inform the individuals whose addresses could not be matched.
Wash, one of the UW-Madison information professors, said it’s unclear if that statute would apply to the UW System, given the breached data was housed by a third party.
Wash did say it’s considered “best practice” to communicate with potential victims of a breach, but he added a caveat: breach notifications might not pose much help.
Consumers are already told to take protective measures regardless of data breaches, Wash said, and “some research suggests that most people don’t do much differently after the notification as they were doing before.”
Burnout from overexposure to breach notifications is another concern.
“You want people to know, but you don’t want to panic people,” Salo said. “It can feel like crying wolf.”
Still, Wash said public data breach notifications can be vital in a different sense.
“Those breach notifications are really, really important for public policy purposes and for pressuring organizations,” Wash said. “It creates pressure inside of UW to do better. I would like to see a notification because I think it’s time for UW to do a little bit better on this.”
Prior to the adoption of breach disclosure laws, organizations would stay quiet about breaches and “what kinds of things were being stolen,” Wash said.
“There was little pressure to actually fix it or do anything,” Wash said. Notification laws, he said, force organizations to “do a better job at protecting that data so they don’t have to notify people all the time.”
Breach notifications also put the UW System’s various partnerships with third parties under scrutiny, Wash said. Wash and Salo emphasized the importance of putting pressure on third parties and “choosing carefully” about the amount of data given to third parties.
Salo called the amount of student data the NSC has access to a “big red hacker target.”
“But it’s not just that. Who has access to this data? Who else is analyzing this data, what are they analyzing it for?” she said. “There's a lot of concerns that I have just sending student data hither and yon, and not really putting any controls on it and not telling us that this is happening.”
Breach leaves lingering concerns for the future
Harrison’s emails indicated that “lessons learned” include revisions to contract language around data responsibilities and contact methods for third-party breaches.
Those lessons track with Salo and Wash’s hopes for a more stringent relationship between the UW System and third-party partners like the NSC. Pointing to the breach, Salo said she hoped for a UW policy that would provide “the least data we can possibly send” to third parties.
“Because, as this proves, it’s just risky,” Salo said. “It’s risky sending your data to third parties, especially ones who insist on using software that really badly needed an audit.”
But the decision to minimize data sending would fall to UW System administrators, not its cybersecurity teams, she said.
Salo worried information in the thousands of non-personally-identifiable records could be used for re-identification.
“Even without somebody's name, or social security number or student ID number, you can figure out who they are,” Salo said.
“Let's say for example, we've got their demographics, their year in school, their majors and maybe a list of their courses for some semester,” Salo said, pointing out the NSC would have all that information. “It certainly would take an insider, like, three minutes to figure out exactly who this person is. An outsider? Hard to say, but not impossible.”
The attack came as educational organizations and government bodies look to invest in cybersecurity for higher education — a sector with troves of personally identifiable information and financial data, prime targets for hackers.
In July, the Biden administration announced a new comprehensive strategy and millions of dollars in awards and infrastructure investments to address “the critical need to fill a vast number of vacant cyber jobs.”
Experts emphasized the need for institutional cybersecurity funding in the UW System. But in dealing with third parties, Salo said, institutions are left to the whims — and cybersecurity systems — of their many partnerships. On the other third party in the room — the hackers — Wash said the future is still uncertain.
“Someone, an unauthorized third party, definitely does have access to [the data]. But the question is, what are they going to do with it? And we don't know that yet,” Wash said.
Liam Beran is the Campus News Editor for The Daily Cardinal and a third-year English major. Throughout his time at the Cardinal, he's written articles for campus, state and in-depth news. Follow him on Twitter at @liampberan.
