Industry News

Butler University data breach victims stretch back over 30 years

Some 163,000 people are receiving letters through the mail right now, and it’s not good news.

Butler University in Indianapolis has the unpleasant task of informing students, alumni, faculty, staff and even past applicants who never even attended the university, that their personal and financial information has been stolen by hackers.

The letter, signed by University president Jim Danko, offers some details of how it came to discover that it had been hacked and the nature of the stolen information:

On May 28, 2014, Butler University was contacted by Californian law enforcement and alerted to an identity theft investigation in which the suspect had in his possession a flash drive containing the personal information of certain Butler University employees. Upon learning of this, Butler University immediately notified the affected employees and launched an internal investigation. This investigation revealed that this personal information could have originated from unauthorized hacking into Butler University’s computer network between November 2013 and May 2014. Third-party computer forensic experts were retained by Butler University to confirm these findings and to identify the full extent of data potentially exposed as a result of this incident, While these investigations are ongoing, we have determined that files containing your name, date of birth, Social Security number, and bank account information were accessible to the hacker(s) during this time period.

The letter goes on to promise a year’s complimentary identity theft protection. But what people really wanted was for their information to be properly secured in the first place (or safely wiped when no longer required).

After all, what happens if the bad guys take over a year to exploit the information? Presumably Butler University’s fig leaf of 12 months’ protection isn’t going to be much help then.

The letter has confused some recipients, who suspected that it might be a scam.

Sadly, it isn’t.

According to the Indy Star, Butler spokesperson Marc Allan confirmed that even people who graduated as far back as 1983 could have had their information exposed by the security breach.

1983. Let that sink in for a moment.

That’s over 30 years ago. 1983 was when a young Matthew Broderick and Ally Sheedy hacked into military computers in the movie “WarGames” for heaven’s sake.

That’s a lifetime ago.

What are the chances that Butler University still has up-to-date addresses for all 163,000 people stretching back that many years?

Mind you, if they did have up-to-date contact information. Would you have trusted them to keep it safe?

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.