How to protect your identity after the U of M data breach

CATHY WURZER: --or worked there or even applied to go to work or school there between 1989 and August of 2021, you need to look for an email from the school about a data breach. Hackers may have accessed personal information, including but not limited to names, birth dates, Social Security Numbers, and driver's license or passport information.

NPR News reported the university plans to email approximately 2 million people. But a hacker claims to have access to more than 7 million Social Security Numbers, according to the tech news site The Cyber Express. Six former students and former employees are suing the U in federal court over the breach and seeking class action status. The Minnesota Bureau of Criminal Apprehension is investigating.

Joining us right now to help explain next steps for people whose information may have been released, cybersecurity specialist Ian Coldwater. Hey, Ian. Welcome back.

IAN COLDWATER: Hi. Thank you very much for having me.

CATHY WURZER: Boy, the scale of this is pretty concerning. How does something like this happen?

IAN COLDWATER: Well, it could happen in any number of ways. The hacker in this case said that they accessed the database of student records basically from the time that the U of M started digitizing it in 1989. And there's various ways that a hacker could get into a database like this. But basically, I think from the back end, it happens because there weren't sufficient security measures to keep the hackers out.

CATHY WURZER: The University of Michigan had to shut down its network for, I believe, a couple of days last month because of a cyber attack. Are hacks becoming more common in higher education?

IAN COLDWATER: It's hard to say. I don't have the statistics on that on me. But it has been happening a lot. A exhibit got put in recently in a suit regarding the MOVEit vulnerability that listed over 900 schools and organizations that were affected by this particular vulnerability in software, including a lot of ones in Minnesota as well as Harvard, Stanford, and various organizations and schools that we've all heard of. So it does happen. It's been happening a lot this year because there have been a couple of particularly high-profile vulnerabilities that have been affecting schools a lot.

CATHY WURZER: The hack of the file transfer software MOVEit, that seemed interesting. I mean, how many people use file transfer software? Many of us do. How concerning is that?

IAN COLDWATER: A lot of people do. It's an issue. And I think it speaks to you can't-- it's very difficult to entirely prevent the possibility of being hacked because there's just so many things that can go wrong. But some things that institutions can do in situations like this to try to prevent the scale of the breach from becoming bigger are limit who can access sensitive information and to segregate information on networks such that if somebody does get into the network, they can't see absolutely everything, and also encrypt the data on those databases and on those networks so that if somebody is in that network, they can't just easily see everything.

CATHY WURZER: In terms of the U of M, as I mentioned, I mean, this is a pretty big breach. Think of how many people in this state have worked or attended or even applied to go to the U of M. What are some of the risks these folks are facing?

IAN COLDWATER: It's a lot of people, I mean, honestly myself included. Some of the risks that people are facing in a breach like this or this breach in particular include identity theft because there's a lot of personal identifiable information that can come out in a breach like this. So some things that people can do to try to protect themselves in this situation can be found on identitytheft.gov. And so people need to keep an eye out for their financial information, for their internet accounts, stuff like that.

And people's threat models can vary depending on their personal situation. So for some people, for example, people who have tried to escape from domestic abuse, that kind of thing, having their personal information out there might carry a different kind of threat. So know what kind of risk you are facing personally. And if you're facing that kind of threat, maybe take different kinds of safety measures. But for most folks, it's mostly an identity and potentially fraud risk.

CATHY WURZER: Do you have to wait until you get the email from the U to start doing something?

IAN COLDWATER: Here's the thing is that a lot of people are not going to get an email from this breach because the only people who are getting emails about it are people who the U of M has on file already. So I wouldn't assume necessarily that if you don't see an email from this that you haven't been affected.

If you are on this list of people, people who have applied as a student, former students, former employees, contractors, people who have volunteered, anyone who's been affiliated or involved with the U in any of those capacities, if you are one of those people, I would assume that you have been affected whether or not you receive that email. And you don't have to wait for the email in order to start taking measures to protect yourself. You can start doing that now.

CATHY WURZER: And so that would be, what, changing passwords? And how would you start that process?

IAN COLDWATER: Sure. So as I said, to protect against identity theft, there's a really good, practical list of steps listed on identitytheft.gov that people can check and go through the list of. You can put your credit on freeze.

For protecting your internet accounts, one thing you can do is change your passwords although it doesn't really say that passwords have been breached here as far as I know. It never hurts to change your passwords. But a couple of good things to do generally to protect your internet accounts are to not reuse passwords, don't use the same passwords on different accounts, and to use a password manager, such as 1Password or Bitdefender, so that you can use unique passwords for all of your accounts and then change them easily when you need to.

Another thing that you can do that's very useful is use multifactor authentication so that if somebody like me who gets into your accounts, if they get into-- or if they get your password, if they try to log into your account like that, then it has to make you prove that you're you in order to log in. And so if a hacker gets in and then needs to have that extra step, it prevents them from being able to get in further.

So if you turn on multifactor authentication on your accounts, which makes you prove that you're you before it will actually sign you all the way in, that can really help keep other people out of it even if they do have your credentials.

CATHY WURZER: But it sounds like this is mostly focused on information that could lead to identity theft versus, say, something that would lead to a breach of your bank accounts. Say if I was a donor to the U of M, we don't know if donors have been affected, mostly students, former students, and employees, right?

IAN COLDWATER: It's prospective students, students, employees, and then it says others, similar categories of information as described above if provided by individuals with unpaid university appointments, those who performed work for the university, those who received taxable payments from the university, and university volunteers or spouses or partners of certain university administrators. So it's not just those folks. That's me reading off of the U of M data breach notice. So if you are any of those people, affect-- accept that-- gosh, words are hard. If you are any of those people, expect that it's possible that you might have been affected by this.

CATHY WURZER: Oh, Ian. Wow. And you're in this group.

IAN COLDWATER: I am in this group. I am a former U of M student, a current U of M parent, and a MPS parent. So it's been a great year for me as well as most of the other people in the state at this point.

CATHY WURZER: I was going to say, I remember talking to you about you have a student in the Minneapolis Public Schools, which, of course, had its own data breach. And I suppose when you got this, saw the information, you thought, oh, great. Another one.

IAN COLDWATER: Batting a thousand here.

CATHY WURZER: Gosh. OK, so what will you be looking for? I mean, do you-- by the way, does this automatically-- are we seeing more individuals affected by data breaches going to court? Have you been able to determine that?

IAN COLDWATER: It's hard to say because there are frankly just so many data breaches. It's hard to keep track of them all. It does happen. I don't know if it happens universally. But as more data breaches happen, it would not shock me if you started seeing more of that kind of thing happen. But I'm not a lawyer or a person who works on the legal matters on these issues. So it's hard for me to answer that with any kind of educated knowledge.

So you had asked a second ago if it is just a matter of identity theft rather than financial fraud. And, well, it's a little hard to say because identity theft can lead to financial fraud like if somebody has enough of your identity information to be able to open up an account on your behalf with your name and info, then that can be a financial issue, too.

So I would just say keep an eye out on your financial accounts, on your credit reports. And if anything funny happens, if there are any transactions you didn't make, accounts you didn't open, logins that weren't you, don't wait. Jump on that. Report it. Try to shut it down because nip it in the bud while you can.

CATHY WURZER: Yeah, exactly. Ian, it's always great talking to you. Thank you so much.

IAN COLDWATER: Thank you very much. Appreciate you having me on.

CATHY WURZER: Ian Coldwater is a cybersecurity specialist based in Minneapolis.