Oct. 23, 1:00 p.m.:
This notice is to inform you about an incident that involved unauthorized access to personal information maintained by the University of Michigan.
What Happened. On August 23, 2023, the University detected suspicious activity on the University of Michigan campus computer network. We took quick and decisive action to contain the incident, including proactively disconnecting the campus network from the internet. We quickly launched an investigation with the support of leading third-party experts. Based on our investigation, we have determined that an unauthorized third party was able to access certain University systems from August 23, 2023 to August 27, 2023.
What Information Was Involved. The University used a dedicated review team to conduct a detailed analysis of the files included on the systems accessed by the unauthorized actor. Based on this data analysis, we believe that the unauthorized third party was able to access personal information relating to certain students and applicants, alumni and donors, employees and contractors, University Health Service and School of Dentistry patients, and research study participants. The following provides examples of the types of information, in addition to an individual’s name, that may have been accessed, depending on an individual’s affiliation with the University.
Students, applicants, alumni, donors, employees, and contractors: Social Security number, driver’s license or other government-issued ID number, financial account or payment card number, and/or health information.
Research study participants and University Health Service and School of Dentistry patients: Demographic information (e.g., Social Security number, driver’s license or government-issued ID number), financial information (e.g., financial account or payment card number or health insurance information), University Health Service and School of Dentistry clinical information (e.g., medical record number or diagnosis or treatment or medication history), and/or information related to participation in certain research studies.
What We Are Doing. As noted above, after suspicious activity was detected on our campus network, the University took quick and decisive action to contain the incident, including proactively disconnecting the campus network from the internet, and we quickly launched an investigation with the support of leading third-party experts. We also notified law enforcement and continue to coordinate with them. In addition, we are continuing to work with third-party cybersecurity experts to take steps to harden our systems and emerge from this incident as a more secure community.
What You Can Do. We have mailed letters to all individuals for whom we have an address and whose sensitive personal information was involved in the incident. Letters were mailed on October 23, 2023. Please allow at least five business days for these letters to arrive. Out of an abundance of caution, we are offering individuals whose sensitive information may have been involved in this incident complimentary credit monitoring services.
Additionally, we have established a dedicated call center for questions about this incident. If you believe your information was involved in this incident and did not receive a letter, please call the toll-free call center number at 1-888-998-7088 from 9:00 a.m. to 9:00 p.m. Eastern Time, Monday through Friday.
As a general matter, individuals should always remain vigilant for incidents of fraud and identity theft, including by regularly reviewing their account statements and monitoring credit reports. Any suspicious or unusual activity or suspicion of identity theft or fraud should be reported to the appropriate financial institution immediately.
In addition, individuals may contact the Federal Trade Commission (FTC) or law enforcement to report incidents of identity theft or to learn about steps to protect themselves from identity theft. To learn more, individuals can go to the FTC’s website at www. ftc.gov/idtheft, call the FTC at (877) IDTHEFT (438‑4338), or write to Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580.
Individuals may also periodically obtain credit reports from the nationwide credit reporting agencies. Individuals that discover information on their credit reports arising from a fraudulent transaction should request that the credit reporting agency delete that information from their credit report file. In addition, under federal law, individuals are entitled to one free copy of their credit report every 12 months from each of the three nationwide credit reporting agencies. Individuals may obtain a free copy of their credit report by going to www.AnnualCreditReport.com or by calling (877) 322-8228. Individuals may contact the nationwide credit reporting agencies at:
Equifax
(800) 685-1111
P.O. Box 740241
Atlanta, GA 30374-0241
www.Equifax.com
Experian
(888) 397-3742
P.O. Box 9701
Allen, TX 75013
www.Experian.com
TransUnion
(800) 680-7289
Fraud Victim Assistance Department
P.O. Box 2000
Chester, PA 19022-2000
www.TransUnion.com
In addition, individuals may obtain additional information from the FTC and the credit reporting agencies about fraud alerts and security freezes. Individuals can add a fraud alert to their credit report file to help protect their credit information. A fraud alert can make it more difficult for someone to get credit in an individual’s name because it tells creditors to follow certain procedures to verify that individual’s identity. Individuals may place a fraud alert in their file by calling any of the nationwide credit reporting agencies listed above. As soon as that agency processes a fraud alert, it will notify the other two agencies, which then must also place fraud alerts in an individual’s file.
Individuals also can contact the nationwide credit reporting agencies at the numbers listed above to place a security freeze to restrict access to their credit report. Individuals will need to provide the credit reporting agency with certain information, such as their name, address, date of birth, and Social Security number. After receiving their request, the credit reporting agency will send the individual a confirmation letter containing a unique PIN or password that they will need in order to lift or remove the security freeze in the future. This PIN or password should be kept in a safe place.
For More Information. Please know that we regret any inconvenience or concern this incident may cause you. Please do not hesitate to contact us at 1-888-998-7088 if you have any questions or concerns.
University Message
To the University community,
We are writing today to provide you with an update about the IT incident that affected our three campuses just as the academic year was getting under way in late August.
Since we learned of the incident, we have been working diligently alongside leading third-party experts to learn more about what occurred. We conducted a thorough investigation, which continues, and we appreciate your patience as investigations of this nature, executed well, take time.
What Happened and How We Addressed It
On August 23, the University of Michigan detected suspicious activity on our campus computer network. We want to assure you that as soon as we discovered this incident, we immediately treated it with the utmost seriousness. Importantly, we took quick and decisive action to contain the incident, including proactively disconnecting the campus network from the internet. We quickly launched an investigation with the support of leading third-party experts. We also notified law enforcement and continue to coordinate with them.
Based on our investigation, we have determined that an unauthorized party was able to access certain university systems from August 23, 2023, to August 27, 2023. The university used a dedicated review team to conduct a detailed analysis of the files included on the systems accessed by the unauthorized actor.
Who is Affected and How We Are Supporting Our Community
The investigation was comprehensive and determined that the unauthorized third party was able to access certain information, including information relating to certain members of our community.
We are currently in the process of notifying relevant individuals. We understand this news is difficult and we are committed to supporting every member of our community.
We also are posting additional information on the Key Issues page of our website and setting up a dedicated call center (1-888-998-7088, available 9 a.m. to 9 p.m. ET, M-F) to respond to your questions.
Moving Forward, Together
Please know that protecting the information entrusted to the university is a responsibility we take very seriously and we are committed to learning from this incident.
We continue to work with third-party cybersecurity experts to take steps to enhance our systems.
Thank you for your patience, flexibility, and support as we work to address and resolve this incident. We are confident we will emerge from this challenge as a more secure community.
Sincerely,
Dr. Ravi Pendse
Vice President for Information Technology
Chief Information Officer
Sol Bermann
Chief Information Security Officer
Executive Director of Information Assurance
Frequently Asked Questions
What happened?
On August 23, 2023, the University detected suspicious activity on the University of Michigan campus computer network. We took quick and decisive action to contain the incident, including proactively disconnecting the campus network from the internet. We quickly launched an investigation with the support of leading third-party experts. Based on our investigation, we have determined that an unauthorized third party was able to access certain University systems from August 23, 2023 to August 27, 2023.
What information was involved?
The University used a dedicated review team to conduct a detailed analysis of the files included on the systems accessed by the unauthorized actor. Based on this data analysis, we believe that the unauthorized third party was able to access personal information relating to certain students and applicants, alumni and donors, employees and contractors, University Health Service and School of Dentistry patients, and research study participants. The following provides examples of the types of information, in addition to an individual’s name, that may have been accessed, depending on an individual’s affiliation with the University:
- Students, applicants, alumni, donors, employees, and contractors: Social Security number, driver’s license or other government-issued ID number, financial account or payment card number, and/or health information.
- Research study participants and University Health Service and School of Dentistry patients: Demographic information (e.g., Social Security number, driver’s license or government-issued ID number), financial information (e.g., financial account or payment card number or health insurance information), University Health Service and School of Dentistry clinical information (e.g., medical record number or diagnosis or treatment or medication history), and/or information related to participation in certain research studies.
I received a letter from IDX or have been asked to contact them. Who is IDX?
The University of Michigan has engaged IDX, a ZeroFox Company, to provide assistance to those whose sensitive personal data was involved in the incident or who have questions about whether they were impacted. We encourage you to contact IDX with any questions and, if your sensitive personal data was involved in the incident, to enroll in free identity protection services. IDX can be reached at 1-888-998-7088 or by using the enrollment site listed in your letter, if you received a letter.
How many individuals were notified?
On Monday, October 23, 2023, in compliance with our legal obligations, we began the process of notifying approximately 230,000 individuals whose sensitive personal data was involved in the incident through postal mail and through notice on our website.
What is the University of Michigan doing in response to this incident?
After suspicious activity was detected on our campus network, the University took quick and decisive action to contain the incident, including proactively disconnecting the campus network from the internet, and we quickly launched an investigation with the support of leading third-party experts. We also notified law enforcement and continue to coordinate with them. In addition, we are continuing to work with third-party cybersecurity experts to take steps to harden our systems and emerge from this incident as a more secure community.
What should I do to protect my information?
We have mailed letters to all individuals for whom we have an address and whose sensitive personal information was involved in the incident. Letters were mailed on October 23, 2023. Please allow at least five business days for these letters to arrive. Out of an abundance of caution, we are offering individuals whose sensitive information may have been involved in this incident complimentary credit monitoring services.
Additionally, we have established a dedicated call center for questions about this incident. If you believe your information was involved in this incident and did not receive a letter, please call the toll-free call center number at 1-888-998-7088 from 9:00 a.m. to 9:00 p.m. Eastern Time, Monday through Friday.
As a general matter, individuals should always remain vigilant for incidents of fraud and identity theft, including by regularly reviewing their account statements and monitoring credit reports. Any suspicious or unusual activity or suspicion of identity theft or fraud should be reported to the appropriate financial institution immediately.
Are you offering credit monitoring?
Out of an abundance of caution, we are offering individuals whose sensitive information may have been involved in this incident complimentary credit monitoring services.
Who can I contact if I have additional questions?
We have established a dedicated call center for questions about this incident. If you believe your information was involved in this incident and did not receive a letter, please call the toll-free call center number at 1-888-998-7088 from 9:00 a.m. to 9:00 p.m. Eastern Time, Monday through Friday. For general questions only you may email data.letter.questions@umich.edu.
What should I do if I believe I have been a victim of fraud or identity theft?
As a general matter, individuals should always remain vigilant for incidents of fraud and identity theft, including by regularly reviewing their account statements and monitoring credit reports. Any suspicious or unusual activity or suspicion of identity theft or fraud should be reported to the appropriate financial institution immediately.
In addition, individuals may contact the Federal Trade Commission (FTC) or law enforcement to report incidents of identity theft or to learn about steps to protect themselves from identity theft. To learn more, individuals can go to the FTC’s website at www. ftc.gov/idtheft, call the FTC at (877) IDTHEFT (438 4338), or write to Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580.
How can I place a fraud alert or security freeze on my account?
Individuals may obtain additional information from the FTC and the credit reporting agencies about fraud alerts and security freezes. Individuals may also periodically obtain credit reports from the nationwide credit reporting agencies. Individuals that discover information on their credit reports arising from a fraudulent transaction should request that the credit reporting agency delete that information from their credit report file. In addition, under federal law, individuals are entitled to one free copy of their credit report every 12 months from each of the three nationwide credit reporting agencies. Individuals may obtain a free copy of their credit report by going to www.AnnualCreditReport.com or by calling (877) 322-8228. Individuals may contact the nationwide credit reporting agencies at:
Equifax
(800) 685-1111
P.O. Box 740241
Atlanta, GA 30374-0241
www.Equifax.com
Experian
(888) 397-3742
P.O. Box 9701
Allen, TX 75013
www.Experian.com
TransUnion
(800) 680-7289
Fraud Victim Assistance Department
P.O. Box 2000
Chester, PA 19022-2000
www.TransUnion.com
A fraud alert can make it more difficult for someone to get credit in an individual’s name because it tells creditors to follow certain procedures to verify that individual’s identity. Individuals may place a fraud alert in their file by calling any of the nationwide credit reporting agencies listed above. As soon as that agency processes a fraud alert, it will notify the other two agencies, which then must also place fraud alerts in an individual’s file.
Previous University Updates
Aug. 30, 10:30 a.m.:
Dear U-M community,
Thank you for your patience during our recent service disruption. I am happy to inform you that internet connectivity and WiFi has been restored on all U-M campuses. You should be able to connect as normal from any device.
We expect some issues with select U-M systems and services in the short term, and not all of our remediation efforts are complete. However, they will be resolved over the next several days.
We will be posting announcements about any service interruptions on the ITS status page. Please contact our Service Center for technical assistance if needed.
The investigative work into the security issue continues, and we are not able to share any information that might compromise the investigation. We appreciate your understanding as we continue to move through the investigative process.
In true Wolverine fashion, faculty, staff and students rose to the occasion and met the challenge to ensure continuity of our mission.
We extend a special thank you to the Information and Technology Services team who all worked tirelessly to address this challenge. We all appreciate all you have done, and continue to do, to maintain the safety of our enterprise systems.
Sincerely,
Santa J. Ono
President
Ravi Pendse PhD
Vice President for Information Technology and Chief Information Officer
University of Michigan
Aug. 30, 9:35 a.m.:
Information for U-M Employees
While the teams at ITS work to restore internet access on campus and additional online services here are some reminders for U-M employees.
While a universitywide internet outage continues to affect operations at the Ann Arbor, Dearborn and Flint campuses, Information and Technology Services is working continuously toward restoring service. Faculty, staff and students can now authenticate into their U-M accounts. Access to cloud-based services has been restored. Functioning systems are accessible from off-campus or cellular networks. Updates will be shared at umich.edu and @umichtech on Twitter.
- Information for U-M employees
- Q&A: Monthly payroll to be paid on time, and other issues
- Message from President Ono about internet disruption
Updated Aug. 30, 9:40a.m.
While the teams at ITS work to restore internet access on campus and additional online services, here are some reminders for U-M employees:
Annual merit processing: Most data was already loaded to the system before the disruption to our computer systems. Merit pay changes do not take effect until Sept. 1 for the Sept. 30 pay date (for monthly paid employees). The university will monitor the situation based on the duration of the system outage.
Benefits: Eligible faculty, staff and students who were unable to complete elections by their 30-day enrollment deadline due to the system outages will be provided with additional time. Affected individuals will be notified by email with instructions for completing their benefit elections.
Facilities and Operations: Maintenance requests are being prioritized, and delays may be required for some requests.
Parking: For those working on campus, Logistics, Transportation and Parking has lifted parking gates to ensure access for employees with proper permits.
Payroll: August monthly pay ran as normal and will be paid on Aug. 31. There should be no disruption for direct deposits or for those receiving hard copy paychecks. August timekeeping data was used for this month’s payroll as entered and approved prior to the outage.
Procurement Services: Several systems are currently inaccessible, including M-Marketsite and MPathways eProcurement.
Purchasing: Excluding medical devices, current ordering processes remain in effect with U-M business units or university-contracted suppliers that accept short codes. For emergency purchases with suppliers that do not accept short codes, please use a PCard. Please note that $5,000 is the standard credit limit on PCards, unless an increase was previously requested.
For information on your current credit limit and how much is remaining, please contact JP Morgan Chase Customer Service at 800-316-6056. You can request a temporary PCard credit limit increase to accommodate your purchases or contact Procurement Services at procurement.supervisors@umich.edu for additional assistance making emergent purchases. For Michigan Medicine medical device orders, please follow department down-time procedures and work closely with supply staff at each location.
Remote work: Employees should consult with their direct supervisors about additional flexibility with remote work until the internet outage in resolved.
Shared Services Center: Phone lines to the Shared Services Center came back online Aug. 29 and service requests are being received. System availability remains limited so responses may be delayed.
Travel and expense activity: The Concur system is now accessible at Concursolutions.com. Enter your full umich email address, click ‘Next’ and then click ‘Sign in with SSO.’ PCard approvals can be extended for one week. Please note that expense payments are not yet being processed.
If you have internet access, you can book travel through Lightning via the Travel Booking tile on Wolverine Access. Please contact CTP at 877-804-3688 (international 402-252-4404) or by email at umichigan@ctptravelservices.com for additional booking support.
Aug. 29, 2:55 p.m.:
To the university community:
Thank you for your continued patience during our ongoing online service disruption. Our team of IT and cybersecurity experts has made significant progress over the past 24 hours. All students, faculty and staff can now authenticate into their U-M accounts and access umich.edu when using off-campus or cellular networks. Off-campus/cellular network access has also been restored to cloud-based services like Google products, Canvas, Adobe Creative Suite, Zoom, Wolverine Access, Dropbox, Slack, Duo, and more.
We also continue to focus on restoring wiFi and internet access. Further announcements will be made on umich.edu and at @umichtech.
Aug. 29, 11:45 a.m.:
To the university community:
The loss of internet access and other business functions across the University of Michigan community cast an unfortunate cloud over an otherwise sunny and glorious start to the academic year.
Despite this setback, our campuses were alive Monday with a wide array of activities as students greeted each other, faculty members took their places in classrooms and researchers returned to their labs across our three-campus community.
I want to thank each and every one of you – students, faculty, staff, parents and visitors – for your diligence and your patience as we work to resolve this situation and restore access to online services and, ultimately, full internet access to our campus communities.
Faculty have adjusted their plans for their classrooms to account for the loss of internet access on our campuses.
Staff have seamlessly shifted to working remotely or come to campus to welcome and assist students as they make their way from one side of campus to another.
Our Information Technology Services teams, working together with leading cybersecurity service providers, are working tirelessly to resolve this disruption and I want to personally thank them for their dedication to this critical effort. Already they have restored an impressive array of online tools that are accessible and functional through off-campus internet connections.
The investigative work into the security issue continues. As noted in Monday’s message to the community, our U-M Division of Public Safety and Security and federal law enforcement partners are involved in this investigation.
While we will continue to share as much information as possible as this work progresses, we are not able to share any information that might compromise the investigation. I appreciate your understanding as we move through the investigative process.
Thank you again for your patience and contributions.
Santa J. Ono
President
Aug. 28, 1:50 p.m.:
To the university community:
We recognize that cutting off online services to our campus community on the eve of a new academic year is stressful and a major inconvenience. We sincerely apologize for the disruption this has caused.
Our Information Assurance team, in partnership with leading cybersecurity service providers, detects, deflects, and mitigates a steady stream of malicious actors every hour of every day.
Sunday afternoon, after careful evaluation of a significant security concern, we made the intentional decision to sever our ties to the internet. We took this action to provide our information technology teams the space required to address the issue in the safest possible manner.
The team is working around the clock and already has restored access to some systems. Updates will be available on umich.edu and on @umichtech on Twitter.
That said, it may be several days before all online services return to their normal levels. Here are some important things to know:
- It appears that the impact is not the same across the university or on all campuses. All clinical applications at Michigan Medicine are functional and no patient care has been disrupted.
- Classes are meeting on all three campuses. Faculty members will, to the best of their abilities, communicate directly with students directly regarding any needed adjustments. Please check ro.umich.edu/calendars/schedule-of-classes to view public course schedules and locations.
- Campus leaders recognize that many students rely on U-M systems to access class information and navigate campus, especially on the first day of classes. Consideration will be given to students for impacts to class attendance or assignments that depend on U-M systems while our teams work to restore service.
- Campus remains open. Residence halls, dining facilities, classroom buildings, and all university offices are operational. Individual units are making local decisions about where (on campus or remotely) employees are best able to fulfill their roles.
- In recognition of the challenges faced during this outage, students will not incur late registration or disenrollment fees through the month of August.
- While many students received an initial disbursement of financial aid funds, financial aid refunds may be delayed due to the system outage.
- While the campus internet (wired and WiFi) is still down, cloud services such as Google, Canvas, Zoom, Adobe Cloud, Dropbox, Slack and other systems are now back online and reachable when using off-campus and cellular networks. Please note that cellular networks are currently under much greater stress than normal.
- Certain campus systems, such as M-Pathways, eResearch, DART, remain unavailable at this time.
The U-M Division of Public Safety and Security and federal law enforcement partners have been informed and are involved.
Again, thank you for your patience. Please know the ITS teams are working tirelessly to resolve this matter as quickly as possible.
Ravi Pendse
Vice President for Information Technology.
Chief Information Officer
Sol Bermann
Chief Information Security Officer
Executive Director of Information Assurance
Andy Palms
Executive Director, Infrastructure
Information and Technology Services
Aug. 28, 9 a.m.:
We apologize for the ongoing disruption. On Sunday, the difficult decision was made to separate the U-M network from the internet to help mitigate technical issues. It was not made lightly, particularly given the timing with the first day of classes.
Classes are meeting. Please check ro.umich.edu/calendars/schedule-of-classes to view public course schedules & locations.
We will continue to restore systems and provide updates throughout Monday. We are hopeful we will have several systems back online by Monday afternoon. Updates will be available on umich.edu and on @umichtech on Twitter. We apologize for the inconvenience.
Aug. 28, 8:30 a.m.:
While systems currently remain offline, ro.umich.edu/calendars/schedule-of-classes is now live to allow Ann Arbor students to check public course schedules & locations. Classes are meeting today. Our next update will be made at 9:00 am ET. Updates will be available on umich.edu and on @umichtech on Twitter. We, again, apologize for the inconvenience.
Aug. 27, 11:59 p.m.:
UPDATE: Thank you for your patience. Teams remain working to restore access to online services. While systems currently remain offline, https://ro.umich.edu/calendars/schedule-of-classes is now live to allow Ann Arbor students to check public course schedules & locations. Our next update will be made at 9:00 am ET. Updates will be available on https://umich.edu and on @umichtech on Twitter. We, again, apologize for the inconvenience.
Aug. 27, 9:51 p.m.:
UPDATE: We are making progress but we are still working to resolve ongoing issues with U-M online services. We understand that this has a large impact for the community, and we regret the timing. The next update will be posted by midnight ET.
Aug. 27, 6:32 p.m.:
UPDATE: Due to a technology issue, U-M online services remain inaccessible at the moment, including Google, Canvas, Wolverine Access, and email. We are working toward restoration later this evening. The next update will be posted by 9:00 pm ET.
Aug. 27, 1:53 p.m.:
Due to a technology issue, internet connectivity will be intermittent or unavailable on the U-M Ann Arbor, Flint and Dearborn campuses starting around 1:45 pm on Sunday, August 27. Service will be restored as quickly as possible. We greatly apologize for the inconvenience.
