Cyber Incident Victim: University of the People
Date:
Jan 2022
Location:
United States of America
Summary
An unauthorized party accessed the University of the People's SharePoint platform, compromising confidential student and applicant information including names and Social Security numbers. The breach was identified during an internal investigation supported by a third-party security firm, revealing unauthorized access to enrollment-related data stored on the platform. The institution notified affected individuals and regulatory authorities, warning of potential identity theft and fraud risks stemming from the exposure of sensitive personal identifiers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 2, 2022, the University of the People (UoPeople) detected a potential security incident involving unauthorized access to its IT network. The university initiated an investigation with assistance from a third-party data security firm to determine the nature and scope of the breach. The investigation confirmed that between January 2, 2022, and January 10, 2022, unauthorized parties gained access to the university's SharePoint platform, a system primarily used by applicants and students for enrollment-related activities. During this eight-day period, the intruders potentially exfiltrated confidential consumer data stored within SharePoint. UoPeople conducted a comprehensive review of the compromised files following the discovery of unauthorized access, identifying the specific types of sensitive information exposed. The analysis revealed that the breached data included individuals' names and Social Security numbers, though the exact combination of compromised information varied among affected parties. The university did not disclose the total number of impacted individuals in its Maine Attorney General filing but confirmed the exposure of these critical personal identifiers.
Upon concluding its investigation, UoPeople formally notified the Maine Attorney General's office about the breach on March 24, 2023, over fourteen months after initially detecting the incident. The same day, the university began distributing individualized data breach notification letters to all affected consumers. These notifications detailed the specific personal information exposed in each recipient's case and outlined the potential risks associated with the compromise of Social Security numbers, particularly highlighting vulnerabilities to identity theft and fraud. As an accredited online institution offering tuition-free degree programs, UoPeople's SharePoint system contained enrollment-related data from applicants and students participating in its associate, bachelor's, and master's degree programs. The Pasadena-based nonprofit, which employs over 200 staff and generates approximately $23 million in annual revenue, did not publicly disclose technical details regarding the attack vector, containment measures implemented during the breach window, or whether law enforcement was involved in investigating the incident. The delayed notification timeline between January 2022 discovery and March 2023 disclosure suggests an extended forensic investigation period to determine breach scope and identify affected individuals across the university's systems.