Any member with an Educause online account, be they administrative, billing or technical contacts, must change their passwords, which the company has already deactivated, it cautioned in a security alert.
Any information contained in individual Educause website profiles (including name, title, email address, username and hashed password) may have been compromised. Additionally, the breach may have compromised the hashed passwords of .edu domain holders.
Some members may be safe: “It is not necessary for InCommon account holders to update their institutional credentials because Educause does not have access to, or store on any server, InCommon account information,” the group said.
"Based on our investigation to date, we do not believe that any sensitive personal or financial information has been accessed," the group added in a statement.
Educause said that administrative and technical contacts have already been notified, and that it is working to get the word out via email and social media. “Educause took immediate steps to contain this breach and is working with Federal law enforcement, investigators and security experts to make sure this incident is properly addressed,” it said.
Along with outside security experts, Educause says it has implemented additional security measures to help prevent this type of breach in the future.
No word as to what or who caused the breach has yet been released.
Ironically, one of its initiatives is the Higher Education Information Security Council, which is focused on improving programs for information security, data protection and privacy programs. Educause in general has a focus on analysis, advocacy, community building, professional development and knowledge creation to support the “transformative role that IT can play in higher education,” with membership that spans not only colleges and universities but also government and supporting corporations.