August was almost 3 months ago, did they just find out now?
Sysadmin
A community dedicated to the profession of IT Systems Administration
No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
[email protected]
[email protected]
[email protected]
[email protected]
Possibly. University networks can be complicated. You have a large number of students who change yearly, a large group of faculty who tend to enjoy more privileges and autonomy than a corporate employee, lots of different IT departments, lots of tech debt and legacy apps/equipment, likely not enough funding and typically a difficulty attracting and keeping IT professionals who can usually make more money in a corporate job...
And even if they did catch it immediately it takes time to assess the breach, talk with lawyers and law enforcement, determine the scope of the issue, contract a company to assist with notification requirements, identify everyone whose data was breached, identify likely addresses for those people, draft notification letters and press releases, get those drafts approved, etc.
No, they're just releasing information now. Bleeping Computer wrote this when the incident first happened: https://www.bleepingcomputer.com/news/security/university-of-michigan-shuts-down-network-after-cyberattack/
It's not that they just found out, but more that they have combed through and prepared all of the information they could legally release.