An attack on American Institutes for Research (AIR) servers may have led to unencrypted staff information being breached.
Hackers gained access to an AIR server on May 12, exposing staff information. Fortunately, the information of students was stored on external systems and therefore remained secure.
After learning of the incident, AIR subsequently brought in a digital forensics firm to investigate. The personal information of around 6,500 staff was leaked, including Social Security numbers and payment information.
Employees of the company from 10 years ago were identified as having data on the server. AIR subsequently notified them.
Joseph Hawkins, who worked at the institute from 1998 to 1999, was notified of the breach by AIR. Mr Hawkins explained that he was concerned his personal information was secured.
"Given that AIR is constantly dealing with [clients] that require the highest security and encryption, that they didn't do that for their own employees is to me a serious issue."
A letter released by AIR and obtained by Education Week detailed the nature of the attack, including the date it occurred, number impacted and efforts that the Institute would take.
"At this point, we have no evidence that any information was accessed or misused," explained a letter from President and CEO of AIR David Myers.
The cyber attack is a clear example of how a penetration test could have identified flaws in the network, and prevented a breach from occurring.