The US University of Wisconsin-Milwaukee is notifying 75,000 students and staff that their personal information may have been exposed in a breach of one of the institution's IT systems in May, but the delay is highlighting the need for more timely breach notifications.
The breach was discovered in late May, and investigators found a month later that the database containing social security numbers was included in the compromised system, according to local media reports.
The intruders gained access to the IT system by remotely installing software to allow backdoor access into a University of Wisconsin-Milwaukee database on a system used for scanning and viewing documents.
Although investigators are not sure how long the malicious software was on the system, they do not believe anyone accessed any information.
In a series of FAQs on a website dedicated to information about the breach, the university said: "There is no evidence that the unauthorised individuals were aware of your personal data in the compromised database or that it has been retrieved. However, we wanted to make you aware of the incident, suggest steps you could take to monitor your financial information, and let you know what we have done to prevent this from happening in the future."
Although forensic investigators say the target of the breach appears to be research being carried out by the university and not personal information, the institution has been criticised for taking a month-and-a-half to notify students and staff of the risk.
Security industry representatives say that if personal information has been stolen, the hackers have had ample time to misuse the data.
Many US states have made data breach disclosure mandatory, but US legislators are still working on new federal laws that would require companies and organisations to disclose data breaches in a timely manner and provide a minimum of protection for affected individuals.
Similar legislation is likely in Europe, with the European Commission currently gathering feedback on whether additional rules are needed to ensure telecoms operators and internet service providers (ISPs) report personal data breaches in a consistent way across the EU.
The data breach notification (DBN) requirement for the electronic communications sector was introduced in the review of the ePrivacy Directive (2002/58/EC), and is regarded by the European Commission (EC) as vital to shoring up data security in Europe.
In May this year, the EC released the revised ePrivacy Directive (2009/136/EC) that requires telecoms operators and ISPs to make breaches public, and many in the legal sector believe this is a forerunner to wider data breach notification obligations being introduced across Europe.