The Social Security numbers of tens of thousands of former students were exposed to hackers at Iowa State University and Johns Hopkins University.
Iowa State said about 29,780 students enrolled at the Ames, Iowa-based university from 1995 to 2012 were exposed in a breach of five servers on campus.
“The servers were hacked by an unknown person or persons seeking to generate enough computing power to create a type of digital money, known as Bitcoins,” the university said, in a statement.
The school said there is no evidence any exposed files were actually accessed or that any student financial information was exposed.
Nevertheless, the school said it sent letters to all students connected to the exposed Social Security numbers. Additionally, it sent letters to another 18,949 students whose school identification numbers were on the compromised servers.
Identity-theft protection specialist AllClear was hired by the university to assist students.
Meanwhile at Johns Hopkins, 2,166 Social Security numbers belonging to graduate students at the university’s Homewood campus from 2007 to 2009 were inadvertently exposed on a server accessible to the Internet.
The Baltimore-based school said it does not think anyone accessed the numbers but the records were accessed, possibly by search engines or web crawlers. Johns Hopkins, which discovered the breach on March 19, immediately alerted authorities and has sent letters to the affected students, it said.
Both universities made free credit-monitoring services available.
ALSO READ: Cyber attacks: The price of collaborative environment at universities
Institutions of higher education rank near the top when it comes to data-security incidents—second only to healthcare organizations, according to Advisen data.
At the beginning of March Johns Hopkins was informed by the FBI that information stolen from its Department of Biomedical Engineering server was posted on the Internet.
The university said it had just received an “extortion message” from someone claiming to be from the hacking group, Anonymous.
The extortionist threated to post data if the university did not turn over ID and passwords to access the university’s networks. Johns Hopkins did not comply.