University of Minnesota faces lawsuit over potentially massive data breach

A former student and former employee have sued the University of Minnesota, arguing it didn't do enough to protect their personal information from a potentially massive data breach.

Attorneys representing the pair argue that the university "knew or should have known" about an array of state and federal laws and other data security measures that "would have prevented the Data Breach from occurring at all, or limited and shortened the scope of the Data Breach."

"UMN was fully capable of preventing'' the breach, attorneys wrote in the lawsuit, filed in federal court Friday.

The university declined to comment on the suit.

"With that said, I want to reiterate that the safety and privacy of all members of the University community are among our top priorities," spokesperson Jake Ricker said in an email.

The U acknowledged last week, in response to questions from the Star Tribune, that it learned July 21 "that an unauthorized party claimed to possess sensitive data allegedly taken from the University's systems."

The university didn't specify how it learned of the issue. That same day, the Cyber Express, a news site focused on cybersecurity, posted a story about a hacker's claims to have accessed some 7 million Social Security numbers dating to 1989. The report said the hacker accessed the university's data warehouse to analyze the effects of affirmative action following the U.S. Supreme Court ruling that limits the consideration of race in college admissions. The report didn't say whether the hacker made demands of the U.

"First, you have to determine somebody claims something, but is there evidence that it actually is true?" U interim President Jeff Ettinger said in an interview last week.

He said the university was investing "fairly significant resources" to try to determine how many people's information was accessed so the U could notify them.

The FBI's Minneapolis office is "aware of the situation" and working closely with the Minnesota Bureau of Criminal Apprehension. "As this is an ongoing investigation, we cannot provide any further information at this time," the FBI said in a statement. The BCA said the investigation is ongoing.

The lawsuit brought against the university was filed by Geoff Dittberner, who studied at the university and worked as a government relations office assistant there, and Mary Wint, who worked at the U as a nutrition educator for about 20 years and was a patient of its health care system. Attorneys at Zimmerman Reed, the firm representing the pair, are seeking class-action status, a move that could potentially allow more people to seek compensation if their data was hacked.

"Exposure of this type of data puts individuals at a significant and prolonged risk of fraud and identity theft," the attorneys wrote, adding that people will need to "remain vigilant against unauthorized data use for years or even decades to come."

The lawsuit accuses the university of negligence and violating the Minnesota Government Data Practices Act. It does not specify how much money the pair are seeking but notes the court has jurisdiction in cases "where the amount in controversy exceeds $5,000,000, exclusive of interest and costs."