No good news ever begins this way:
We are writing to inform you of a data security-related incident that may have involved your personal information. On March 9, 2015, Information Technology (IT) staff in the School of Engineering detected that malicious software, or “malware,” had been placed on a number of servers that are part of the School’s technical infrastructure over a period of months, with penetration of the servers beginning as early as September 2013.
So the compromise began in September, 2013, and was first detected in March, 2015, and is only first being disclosed to some of those affected in May, 2016?
The only good news, it seems, is that they don’t have definitive evidence of exfiltration of personal information or misuse of the information. Then again, they don’t have definitive evidence that there’s been no exfiltration of names, contact information, Social Security numbers, employment information, student academic information, research data and School of Engineering graduate level admissions data, and/or Individual Taxpayer Identification Number:
To date there is no evidence that any data was accessed or disclosed from the School of Engineering’s servers; however, there also is insufficient evidence to conclude that data was not accessed or disclosed.
Read the rest of the University of Connecticut’s notification template on the web site of the California Attorney General.
Note that UConn had disclosed the March 9, 2015 discovery in a notification at that time and in a press statement issued in July, 2015.