Central database accessed through vulnerable web app
A security breach at Georgia Tech university has exposed the details of 1.3 million students and faculty members, the renowned computer science institution has confirmed.
The names, addresses, Social Security numbers, and birth dates of current and former staff and pupils was accessed by an unknown third party in December 2018.
Details belonging to student applicants are also believed to have been accessed.
According to Georgia Tech, the unidentified hacker gained unauthorized access to a central database through a vulnerability in a web application.
The intrusion was first noticed on March 21, when the institution’s IT staff noticed a “significant performance impact” on the unnamed app.
An investigation found that the database was first accessed on December 14, 2018.
The vulnerability has now been patched, Georgia Tech confirmed, and those affected have been notified.
It’s worth pointing out that Georgia Tech has an average enrollment of 30,000 students a year – suggesting that the majority of the breached details belong to former scholars.
Adam Brown, manager of security solutions at Synopsys, told The Daily Swig: “Indications that the breach came through a web application are surprising, given this institute’s strong reputation in computer science.
“Web application security flaws and vulnerabilities are well documented and understood, even categorized into a well-known list – the OWASP Top 10.
“Technical controls must be underpinned with process and policy for them to be effective,” Brown added. “It will be interesting to see what went wrong here. Inevitably some students will be European citizens, so this will likely trigger a GDPR breach investigation.”
This latest incident was the second identity breach at Georgia Tech in two years. In 2018, the personal details of 8,000 students were mistakenly emailed to other pupils at the university.