Data Incident Frequently Asked Questions

The University of Minnesota learned that a person was claiming to have posted on the Internet in July 2023 certain admissions, race, and ethnicity information held in a University database. The University immediately initiated an investigation and promptly engaged forensics professionals to assess whether the claim was credible and to ensure the security of the University’s electronic systems. After an extensive investigation, the University determined that a person likely gained unauthorized access to a University database in 2021. This incident has not affected University operations.

On July 21, 2023, the University of Minnesota learned that a person was claiming to have posted on the Internet in July 2023 certain admissions, race, and ethnicity information held in a University database. After an extensive investigation, the University determined that a person likely gained unauthorized access to a University database in 2021.

The incident potentially affected individuals who submitted information to the University as a prospective student, attended the University as a student, worked at the University as an employee, or participated in University programs between 1989 and August 2021. 

Our extensive investigation showed no evidence that donation, medical treatment, password, or credit card information was in the database. Other potentially affected information depends on an individual’s affiliation(s) with the University during the time period between 1989 and August 2021. 

Examples of information that may have been potentially affected, depending on an individual’s affiliation, are listed below.     

Prospective Students (and certain parent or guardian data):  Information supplied in admissions or financial aid applications submitted directly to the University or through the standard Free Application for Federal Student Aid (FAFSA) form, including student and parent or guardian names, contact information, Social Security numbers, dates of birth, high school and high school grade information, standardized test scores, demographic information, and family income.

Students: Information related to an individual’s education, including student contact information and parent or guardian names and addresses, student email addresses, Social Security number, student ID number, date of birth, classes, grades, demographic information, insurance policy number, loan data, degree, and diploma year.

Employees: Information related to an individual’s work, including name and address, email address, Social Security number, employee ID number, date of birth, driver’s license or identification card, and payroll information (but not bank account information).

Others: Similar categories of information as described above, if provided by individuals with unpaid University appointments, those who performed work for the University, those who received taxable payments from the University, and University volunteers or spouses/partners of certain University administrators.

Because the safety and privacy of all members of the University community are a top priority, the University has increased its vigilance in securing information that it maintains. Scans of the University’s electronic systems have not revealed ongoing suspicious activity related to this incident. The University has also taken steps to bolster its overall system security, including increasing data access control measures, reducing the number of people authorized to access sensitive information, expanding multi-factor authentication and other security measures, and increasing monitoring for suspicious activities. The University also worked with the appropriate law enforcement and regulatory officials, and will continue to cooperate in any active investigation by those agencies. Finally, the University offered individuals 12 months of optional, free credit and identity monitoring services. Individuals were not required to participate in this free offer. 

Scans of the University’s electronic systems have not revealed ongoing suspicious activity related to this incident. The University has also taken steps to bolster its overall system security, including increasing data access control measures, reducing the number of people authorized to access sensitive information, expanding multi-factor authentication and other security measures, and increasing monitoring for suspicious activities.

Yes. The University has worked with the appropriate law enforcement and regulatory officials, and will continue to cooperate in any active investigation by those agencies.

Yes. Notices were sent out to potentially affected individuals for whom the University had an email address. The email came from [email protected] and provided more detail about the steps being taken in response to this incident. In addition, the University provided notification through a nation-wide news release and linked to this page from its campus websites. 

The University has taken steps to bolster its overall system security, including increasing data access control measures, reducing the number of people authorized to access sensitive information, expanding multi-factor authentication and other security measures, and increasing monitoring for suspicious activities. The University has also worked with the appropriate law enforcement and regulatory officials, and will continue to cooperate in any active investigation by those agencies.

Based on the University’s investigation, the incident potentially affected individuals who submitted other information as a prospective student, attended the University as a student, worked at the University as an employee, or participated in University programs between 1989 and August 2021. The University’s extensive investigation showed no evidence that donation, medical treatment, password, or credit card information was in the database. 

Notices were sent out to potentially affected individuals for whom the University had an email address. Further questions can be sent to the dedicated response team at [email protected].  

This incident has not affected University operations.

No. The claims made by the unauthorized party in July 2023 did not include any demand for payment, and this incident did not result in the University losing access to or use of University data and has not affected University operations.

Yes. The University offered 12 months of optional, free credit and identity monitoring services for potentially affected individuals. These services, provided by a University contractor that specializes in these types of incidents, included single bureau credit monitoring, complimentary fraud consultations, and identity theft restoration support. The original deadline to enroll was December 29, 2023, and then extended to March 29, 2024 to accommodate our community.

More resources can be found on the information guide called Preventing Identity Theft and Fraud. 

The University is not aware of any identity theft resulting from this incident, but if you believe you are a victim of attempted or actual identity theft or fraud, it is recommended to take the following steps:

• Contact appropriate financial institutions to protect or close any accounts that have been tampered with or opened fraudulently.
• Contact the credit reporting agencies to place a “fraud alert” or “security freeze” on your credit reports.
• File a report with your local police or sheriff’s office and ask for a copy for your records.
• File a complaint with the Federal Trade Commission.
• File a complaint with your state Attorney General.
• Keep good records:
  • Keep notes of anyone you talk to regarding this incident, what he/she told you, and the date of the conversation;
  • Keep originals of all correspondence and forms relating to the suspicious or fraudulent activity, identity theft, or fraud; 
  • Retain originals of supporting documentation, such as police reports and letters to and from creditors. When requested to produce supporting documentation, send copies (not originals) and,

More resources can be found in the information guide called Preventing Identity Theft and Fraud. 

The University’s extensive investigation showed no evidence that password information was in the database. However, as a best practice, it is recommended that individuals change passwords routinely. Make sure to take adequate precautionary steps, including using difficult-to-guess passwords and avoiding use of the same password(s) across multiple applications, accounts, or services.

Individuals currently affiliated with the University (e.g., a student or employee), can find more resources that can be utilized to best protect University-related accounts on the University’s webpage titled “Practice Safe Computing”.

Individuals currently affiliated with the University (e.g., a student or employee), can find more resources that can be referenced to help avoid potential phishing attempts on the University’s phishing protection webpage. More resources also can be found on the webpage called Preventing Identity Theft and Fraud.