In June 2023, the University of Rochester experienced a data breach involving a third-party vendor, Progress Software, and its MOVEit File Transfer solution. An unauthorized party exploited a security vulnerability, potentially accessing and removing files containing personal information. The university's broad network security and clinical applications, such as UR Medicine's eRecord and MyChart, were not impacted. The University of Rochester began notifying affected individuals in July 2023.

How many accounts were compromised?

The exact number of compromised accounts or users is not mentioned in the available sources, but it is known that the breach impacted students, employees, and their spouses, domestic partners, and dependents.

What data was leaked?

The data exposed in the breach included names, Social Security numbers, financial account information, and health insurance information of students, employees, and their spouses, domestic partners, and dependents.

How was University of Rochester hacked?

The breach occurred when hackers exploited a vulnerability in the MOVEit File Transfer software provided by third-party vendor Progress Software, gaining unauthorized access to the University of Rochester's data. The scope of the compromised information was assessed, and remediation efforts were undertaken. However, the exact methods used by the hackers and whether any malware was involved remains unclear.

University of Rochester's solution

In response to the hacking incident, the University of Rochester took immediate actions to mitigate and assess the scope of potentially compromised information. They engaged outside professionals to investigate and remediate the vulnerability in the MOVEit File Transfer solution. The university is committed to maintaining the privacy of personal information and continually takes additional precautions to safeguard it. They regularly evaluate and modify their practices and internal controls to enhance the security and privacy of personal information. Affected individuals were notified, and a free 24-month credit monitoring membership was offered to all individuals impacted by the incident.

How do I know if I was affected?

The University of Rochester notified affected individuals about the breach and offered them a free 24-month credit monitoring membership. If you are associated with the University of Rochester and have not received a notification, you can visit Have I Been Pwned to check if your credentials were compromised in this or any other data breach.

What should affected users do?

"In general, affected users should:

• Change Your Passwords: Immediately update your passwords for any accounts that may have been compromised. Make sure the new passwords are strong and unique, not previously used on any other platform.

• Reset Passwords for Other Accounts: If you've used the same or similar passwords for other online accounts, reset those as well. This is crucial as attackers often try using stolen passwords on multiple sites.

• Enable Two-Factor Authentication (2FA): Activate 2FA on any affected accounts. Consider enabling this additional security feature on all other important online accounts to significantly reduce the risk of unauthorized access.

• Monitor Your Accounts: Keep an eye on your accounts for any suspicious activity and report it immediately to the appropriate parties.

Where can I go to learn more?

If you want to find more information on the University of Rochester data breach, check out the following news articles:

• University responding to data breach

• University provides notice of data security incident

• University of Rochester updates investigation into data breach