Cyber Incident Victim: University of Chicago
Date:
Jan 2015
Location:
United States of America
Summary
A cybersecurity breach at the University of Chicago involved unauthorized access via an SQL injection vulnerability exploited by Carbonic, compromising payroll information, employee IDs, and other undisclosed data. The attackers accessed databases containing names, email addresses, and salary statuses for non-clinical staff in the Biological Sciences Department, along with patient information and detailed salary records, though they claimed not to have extracted sensitive patient data or full salary figures to avoid harming individuals. Following notification by a third party, the university addressed the vulnerability but did not publicly acknowledge or deny the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In January 2015, the University of Chicago experienced a cybersecurity breach claimed by the Carbonic collective, exploiting an SQL injection (SQLi) vulnerability. The attackers accessed internal databases containing payroll information, employee IDs, and other undisclosed data from the university’s systems. A representative using the handle @MarxistAttorney communicated with DataBreaches.net, confirming the intrusion and providing a vulnerable URL that facilitated the SQLi attack. Initial data dumps mirrored on Carbonic’s site and Pastebin included names, email addresses, and salary status designations (active or inactive) for non-clinical staff within the Biological Sciences Department. The attackers emphasized this represented only a fraction of the compromised data, withholding additional information they accessed but did not disclose. Testing by DataBreaches.net confirmed the university had patched the vulnerable URL by the day after the initial notification, indicating remediation efforts were underway. The university did not acknowledge or respond to multiple inquiries from DataBreaches.net regarding the breach notification or the legitimacy of Carbonic’s claims.
Following the initial report, @MarxistAttorney clarified the scope of accessed data in response to specific questions. The attackers confirmed discovering patient information within the compromised MSSQL Server databases but stated they refrained from extracting or leaking it out of ethical considerations. Similarly, while databases containing detailed employee salary figures were accessible, Carbonic claimed to have extracted only limited records indicating salary activation status for one department, avoiding full financial disclosures. The collective corrected an earlier misidentification by DataBreaches.net, clarifying their name was “Carbonic” rather than “#TeamCarbonic.” No evidence suggested unauthorized access to clinical systems or exfiltration of patient treatment records. The incident highlighted risks associated with unpatched SQLi vulnerabilities in university infrastructure, though the full extent of data exposure remained unverified due to the university’s non-response and Carbonic’s selective data publication.