Cyber Incident Victim: University of Central Florida
Date:
Jan 2016
Location:
United States of America
Summary
A cybersecurity breach at the University of Central Florida compromised personal information, including Social Security numbers, of approximately 63,000 students, former students, and faculty/staff members. The intrusion was discovered in early January, though specific financial, medical, and academic records remained unaffected. The institution offered affected individuals one year of complimentary credit monitoring and identity protection services. Law enforcement and a digital forensics firm are investigating the incident to determine its scope and origin.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early January 2016, the University of Central Florida discovered a cybersecurity breach affecting its systems. The incident was publicly disclosed on February 4, 2016, after an internal investigation determined that unauthorized individuals had potentially accessed sensitive personal information. The compromised data included social security numbers and other private details belonging to approximately 63,000 individuals comprising current students, former students, and faculty or staff members. While the university confirmed the exposure of social security numbers, it explicitly stated that credit card numbers, medical records, financial records, and academic grades remained unaffected by the intrusion. The breach impacted a subset of the university community despite UCF's total enrollment exceeding 60,000 students at the time. The primary risk identified was potential identity theft, with criminals possibly using stolen social security numbers to obtain fraudulent credit or loans.
UCF initiated notification procedures by arranging to send physical letters via postal mail to all affected individuals following the breach confirmation. These communications outlined instructions for enrolling in complimentary credit monitoring and identity protection services provided by the university for one year. The institution engaged law enforcement agencies and contracted an unnamed digital forensics firm to assist with investigating the intrusion's origin and methodology. No specific details regarding the attack vectors, duration of unauthorized access, or identity of threat actors were disclosed in the initial announcement. The university's proximity to Walt Disney World's Epcot Center, located approximately thirty minutes away, was noted in geographical context but did not factor into the breach's causation or impact assessment. Response efforts focused on mitigating potential fraud risks through credit monitoring while investigators worked to determine the full scope of compromised systems.