At least 63,000 current and former students at the University of Central Florida are getting bad news this week: Someone breached the school's network to access their social security numbers and other sensitive personal data. Student-athletes, students who were also working for the university and faculty are the main groups on campus affected. While UCF said that credit card information, medical records and grades were not exposed, it recommends that the student body check its credit reports and bank statements "out of an abundance of caution".
UCF set up a web page to answer questions about the data breach, and explain its response:
Upon learning of the incident, UCF immediately launched an internal investigation and reported the incident to law enforcement. We also engaged one of the nation's leading incident response and digital forensics firms to assist in our internal investigation.
We are mailing notices to individuals who may have been affected by the incident so they can take steps to safeguard their personal information going forward.
Since the school found out in January and informed people the next month, the lag time is relatively small compared to the inept responses to other hacks — the Office of Personnel Management, for instance, was still trying to notify US federal employees that they'd been hacked over six months after its breach was disclosed.
That doesn't mean UCF gets a gold star for doing what it should. If anything, we should continue to question why the school wouldn't immediately tell people to change their passwords, or why its security sucked so much in the first place.