Cyber Incident Victim: Butler University

The Butler University data breach impacted approximately 163,000 individuals affiliated with the Indianapolis-based institution, including students, alumni, faculty, staff, and past applicants. The intrusion occurred between November 2013 and May 2014, during which unauthorized actors accessed files containing names, dates of birth, Social Security numbers, and bank account information. Discovery of the breach occurred on May 28, 2014, when California law enforcement officials contacted the university regarding an identity theft suspect found possessing a flash drive containing personal information of Butler employees. The university had no prior internal detection of the compromise before this external notification. Investigations confirmed the attacker(s) had no institutional affiliation, ruling out insider involvement. Data exposure extended to individuals associated with the university as far back as 1983, indicating the compromised records spanned multiple decades of institutional history.

Butler University initiated parallel investigations immediately upon discovery, engaging both internal resources and an external computer forensics firm to assess the breach scope. Forensic analysis confirmed the six-month intrusion window and identified the types of sensitive data exfiltrated. The institution notified all potentially affected parties through breach notification letters detailing the incident's parameters. Remediation efforts included offering complimentary credit monitoring services for one year to all 163,000 victims and recommending they place fraud alerts on their financial accounts. No evidence suggested misuse of the stolen data beyond the initial law enforcement seizure from the unrelated identity theft suspect. The university maintained public confirmation that the breach originated from external threat actors without institutional connections throughout their communications regarding the incident.