ORANGE COUNTY, Fla. (WOFL FOX 35) - A FOX 35 investigation has revealed that in the months leading up to a cyber security breach at the University of Central Florida, leaders decided against an important cyber security measure.
In February, the university announced that hackers had gotten ahold of the Social Security numbers of 63,000 students, staff, and alumni.
According to the university the breach happened in December of 2015. A memo written by the university’s Information Security Office and published in January of 2015 warned of what an independent security expert called a major weakness in the university’s cyber security plan.
"It's a big hole in their security program,” said Evan Dygert a computer security expert based in central Florida.
The memo which was titled “Security Incident Breach for Year End 2014” and dated January 15, 2015 said “most UCF data breaches occur due to human error” and “UCF users continue to be a major target for phishing attacks,” which are malicious emails that look like they’re from trustworthy sources.
Phishing emails aim to get people to click on links that could give hackers access to the university’s entire network of computers.
According to the memo, the number of phishing incidents at UCF more than tripled from 2013 to 2014.
Budget documents for the 2015-2016 school year reveal that the Information Security Office requested $35,000 to train students and staff to spot dangerous phishing emails. That request was denied.
A study published in March 2016 by Baker Hostetler, one of the largest law firms in the country found that phishing is the number one cause of data breaches.
"Any employee that succumbs to a phishing attack can put the organization at risk and so they're obviously having the same kind of problem or they wouldn't have brought it up in this kind of report,” Dygert said, adding that he would expect a university the size of UCF to train its employees and students to spot malicious emails.
“They should be training their people and their users because they are at such risk because of the information they keep. They have grades, they have financial information,” Dygert said.
FOX 35 asked UCF how the breach happened. They responded that a lawsuit prevents them from discussing it. They didn’t answer questions about why the university chose not to pay for the phishing training.
University spokesman Chad Binette sent the following statement:
"Safeguarding personal information is of the utmost importance to UCF. We have increased the Information Security Office's funding by 48 percent (to $1.54 million) during the past two years, investing in nine new positions, new systems and forensic software at a time when we are fulfilling many other needs, such as hiring hundreds of new faculty members and additional police officers. In light of the recent incident, we are thoroughly reviewing all of our online systems and training programs to determine what improvements we can make."
FOX 35 checked with the University of Florida, the University of South Florida, and Florida State University.
All provide specific training programs to teach students and staff how to spot phishing emails.
Dygert reviewed the budget documents FOX 35 received from the university. "It looks like they're doing pretty much what they should be doing except with the phishing,” he said.
Binette said the university is now considering a phishing education program.