New York's D’Youville University says students' names and SSNs were compromised in a security incident

The D’Youville University in Buffalo, New York, said it suffered a data breach incident that compromised the sensitive personal information of its students and faculty members.

The University said in a notification shared with the Attorney General of Vermont that on 8th February, it identified “suspicious activity” in its internal network. It immediately took steps to contain the situation and launched an investigation with assistance from third-party cyber security experts to determine the scope of the security incident.

“Upon learning of the event, we took steps to improve our security to better protect against similar incidents from occurring in the future. These steps include, but are not limited to, deployment of an Endpoint Detection and Response (EDR) and Managed Extended Detection and Response (MXDR) tool on our systems, upgrades to our security hardware, further network hardening and inspection policies and technologies, and revisions to our internal policies regarding the receipt of sensitive data,” the University said.

The compromised data contained personally identifiable information including names and social security numbers. D’Youville University said it found no evidence of the stolen information being misused, but the possibility of the same cannot be ruled out.

D’Youville University has provided a year of complimentary credit monitoring service through Experian to all affected individuals who need to enroll by August 31 to avail of the service. It also urged them to remain vigilant against identity theft and fraud attempts by reviewing their account statements and report any suspicious activity to relevant law enforcement agencies immediately.

US law firm Turke & Strauss LLP said on 12th June that it is investigating the university regarding the data breach that compromised the names and social security numbers of an undetermined number of individuals.

Earlier this month, the New York-based University of Rochester also said that it suffered a significant data breach resulting from a software vulnerability in a product developed by a third-party file transfer company. In a statement published on 2nd June, the University said that it believed that faculty and students’ information was compromised but did not know the true impact of the incident.

While the University did not name the third-party file transfer application that was exploited, several organisations worldwide suffered significant security incidents over the past weeks after threat actors exploited a zero-day vulnerability in the MOVEit Transfer web application developed and marketed by US-based software company Progress Software.