Metro State data breach affected 160,000 students

Courtesy of Metropolitan State University

Metropolitan State University officials say a “probable” data breach announced in January likely exposed the personal information of about 160,000 current and former students.

An investigation has concluded that a hacker could have obtained the last four digits of the Social Security numbers of about 11,000 students, they said.

But no other student financial or credit-card data is in jeopardy, they said. A university spokeswoman said no one from the Metro State community has reported any identity theft.

In an emailed statement, interim president Devinder Malhotra wrote:

“We regret this incident and sincerely apologize to those impacted. Since learning of this intrusion, our Information Technology team has disabled the vulnerability that permitted the breach and replaced the affected server. The university also completed additional security measures to minimize future security risks.”

In February, the administration notified 900 faculty – who’d served at any point between 2004 and 2009 — that their Social Security numbers may have been taken in the hacking. A university spokeswoman said she did not know for sure whether that data contained full Social Security numbers or just the last four digits, but thought the hacker got just partial numbers.

Metropolitan State University announced the breach Jan. 16, saying a hacker had penetrated a university web server once in mid-December. They said a network security service discovered the hacking Jan. 2, and that five days later personnel fixed the software glitch that caused it. The university also moved its web site to a new server.

University officials say about 25,000 of the 160,000 students affected have been enrolled in the past three years. But a spokeswoman said she did not know how far back in time the affected data goes.

The information includes dates of birth, home addresses and phone numbers, grade point averages and other personal information.