Academic institutions inevitably build large databases as the result of being involved with thousands or even millions of individuals, from former and current students to professors and researchers. These databases, as expected, include information of interest for cybercriminals.

And it was now the turn for the Georgia Institute of Technology, commonly known as Georgia Tech. It was announced by the institution last week that it was the victim of a major cybercrime that was traced back to December 14, 2018.

While the details of the attack aren’t quite clear yet (there is an ongoing forensic investigation to assess the damage and know further details), the announcement made by Georgia Tech contains some interesting points.

Scale of the Attack

According to the published note, the data breach suffered by Georgia Tech last December exposed personal information of, at least, 1.3 million individuals that included former and current students, students applicants, professors, researchers, and staff.

The personal information that was exposed and possibly stole included names, addresses, SS numbers, date of birth, and internal identification numbers. It’s also possible that other types of data were exposed as well.

Vulnerability Exploited

So far, Georgia Tech and the ones responsible for the forensic investigation have found that cybercriminals gained access to the central database by exploiting a vulnerability of the institution’s web app.

It was also mentioned that unauthorized access by hackers was traced back to December 14 but there is the possibility that access was gained even before that date.

This vulnerability in the web app was detected by the Georgia Tech team a month ago, back in March 2019. What led investigators to find the vulnerability was an important performance issue that was affecting the application. At the same time, it was discovered that the performance issue that initiated the investigation was a consequence of the data breach perpetrated by cybercriminals.

What Now?

Georgia Tech is already notifying all those individuals whose personal information may have been exposed and stole by cybercriminals. The announcement last week made clear that the full extent of the attack was still unknown.

According to Georgia Tech, there are major efforts ongoing to determine the precise details of the attack’s impact, like how many individuals were affected by the breach and exactly how the unauthorized access was granted to cybercriminals.

The University System of Georgia and consumer reporting agencies are working alongside Georgia Tech to determine how to protect those individuals who were affected. Further information of these last few points will be disclosed soon, according to the announcement.