A number of lawsuits have been filed against the University of Minnesota after a large data breach exposing at least seven million social security numbers was reported in mid-July.
One of the class-action lawsuits, brought by Jasmyn Martin –– a former women’s volleyball player for the Gophers, was filed against the University on Aug. 29. The suit claims the University did not take the proper steps in protecting students’ private data.
As opposed to a civil lawsuit, where Martin would be suing the University individually, class-action means other students and faculty affected by the data breach can join the suit and receive a part of a potential pay out.
“As a former Gopher student-athlete, I hope that this breach represents a learning experience for the University and that it takes steps to audit computer systems and databases and protect individuals’ confidential information going forward,” Martin said.
Martin attended the University for two years, when she provided her social security number (SSN) and other personal data, like medical and banking information.
Including Martin’s case, Kate Baxter-Kauf –– one of the lawyers representing Martin, said at least six lawsuits have been filed against the University so far, and most are trying for class-action status as well.
The first of these lawsuits to be made public was filed by Geoff Dittberner and Mary Wint, two former University employees. Both Dittberner and Wint were required to give their SSNs and personal identifiable information (PII) for employment purposes.
“UMN’s Data Breach resulted in the theft and exposure of confidential data, including social security numbers and other PII. Exposure of this type of data puts individuals at a significant and prolonged risk of fraud and identity theft,” Dittberner and Wint’s lawsuit reads.
The pair is being represented by Zimmerman Reed and is also seeking class-action status. Dittberner and Wint’s lawyers declined to comment.
The breach was first reported on July 21 by Cyber Express, a cyber security news site.
The University’s database had been accessed without their knowledge. This allegedly led to unauthorized transfer of information, including over seven million unique SSNs and other private data.
The data extracted dates back to 1989 and includes personal information from current and past students, faculty and applicants to the University.
The University sent students and faculty an email notifying them of the breach on Aug. 22.
In a statement to students, faculty and staff, the University said “We investigate these situations immediately and fully, and are committed to keeping the community informed as additional, relevant information becomes available.”
According to University director of public relations Jake Ricker, the University did not comment right away to allow for more time to verify if the breach had actually occurred and that data was stolen.
“Investigations of this nature take extensive time to conduct thoroughly and correctly so accurate notification can be sent to affected individuals,” said Ricker in an email to the Minnesota Daily.
Baxter-Kauf said there are ways organizations like the University could better protect themselves against an attack of this nature.
“There is a tendency to think that data breaches and hacks like this are just sort of inevitable, and that they’re something that happens and there’s nothing you can do about that, and that has not been my experience,” Baxter-Kauf said.
According to the lawsuit, under the Minnesota Government Data Practices Act, organizations like the University must “establish appropriate security safeguards for all records containing data on individuals.”
The University has policies and procedures to respond to a data security breach, which states it “will provide timely and appropriate notice to affected individuals when there has been a breach of security involving private data about them.
Baxter-Kauf said they discovered the University may have not been following its cyber security regulations as well as they should have been.
“Educational institutions, especially big colleges and places that have lots of information like the University of Minnesota does, really need to do a better job of keeping track of data,” Baxter-Kauf said.
Both the St. Paul and Minneapolis Public School Districts also had data breach incidents this last year.
The Board of Regents held a non-public meeting on Tuesday to discuss the two lawsuits filed.
“You cannot get any more personal than social security numbers and I hope that the University takes greater precautions in the future to protect this highly personal and confidential information,” Martin said.