University of Minnesota: Notice of Data Incident

The University of Minnesota is providing notice of a recent data incident that potentially compromised the security of some private information that the University of Minnesota maintains. The information on this webpage intends to share what happened, what information was potentially accessed, what the University is doing in response to the incident, and what steps individuals can take to help protect against the misuse of their information.

What Happened?

On July 21, 2023, the University of Minnesota learned that a person was claiming to have posted on the Internet in July 2023 certain admissions, race, and ethnicity information held in a University database. The University immediately initiated an investigation and promptly engaged forensics professionals to assess whether the claim was credible and to ensure the security of the University’s electronic systems. After an extensive investigation, the University determined that a person likely gained unauthorized access to a University database in 2021. This incident has not affected University operations.

What Information Was Involved?

Based on the University’s investigation, the incident potentially affected individuals who submitted information to the University as a prospective student, attended the University as a student, worked at the University as an employee, or participated in University programs between 1989 and August 2021.

The potentially affected information may include an individual’s full name, address, telephone number, Social Security number, driver’s license or passport information, University identification number, birthdate and demographic information, admissions applications, employment information, as well as other information provided to the University, depending on an individual’s affiliation(s) with the University during this time period. The University’s extensive investigation showed no evidence that donation, medical treatment, password, or credit card information was in the database. 

Examples of information that may have been potentially affected, depending on an individual’s affiliation, are listed below.

Prospective Students (and certain parent or guardian data):  Information supplied in admissions or financial aid applications submitted directly to the University or through the standard Free Application for Federal Student Aid (FAFSA) form, including student and parent or guardian names, contact information, Social Security numbers, dates of birth, high school and high school grade information, standardized test scores, demographic information, and family income.

Students: Information related to an individual’s education, including student contact information and parent or guardian names and addresses, student email addresses, Social Security number, student ID number, date of birth, classes, grades, demographic information, insurance policy number, loan data, degree, and diploma year.

Employees: Information related to an individual’s work, including name and address, email address, Social Security number, employee ID number, date of birth, driver’s license or identification card, and payroll information (but not bank account information).

Others: Similar categories of information as described above, if provided by individuals with unpaid University appointments, those who performed work for the University, those who received taxable payments from the University, and University volunteers or spouses/partners of certain University administrators.

What We Are Doing.

The safety and privacy of all members of the University community are a top priority, and the University has increased its vigilance in securing information that it maintains. Scans of the University’s electronic systems have not revealed ongoing suspicious activity related to this incident. Working with forensics professionals, the University has also taken steps to bolster its overall system security, including increasing data access control measures, reducing the number of people authorized to access sensitive information, expanding multi-factor authentication and other security measures, and increasing monitoring for suspicious activities. The University has worked with the appropriate law enforcement and regulatory officials, and will continue to cooperate in any active investigation by those agencies. Finally, the University offered potentially affected individuals 12 months of free credit and identity monitoring services. This offer was extended through March 29, 2024. 

What You Can Do.

Individuals can review the information guide called Preventing Identity Theft and Fraud and monitor online and financial accounts and credit reports for unauthorized activities. The University recommends that individuals report any suspicious activities to appropriate law enforcement. 

For More Information.

Individuals may also obtain access to a report that the University will prepare on the facts and results of the University's investigation, once complete. If individuals want to receive access to that report, they should email the dedicated response team at [email protected] if they want a copy of the report sent via email or mail. 

For additional information, please review the frequently asked questions.