The University of New Mexico can confirm the unauthorized release of information on a vendor maintained UNM Police Department’s (UNMPD) web service, which included bicycle registration, lost and found, special events, and community relations. Of these, only the bicycle rental and lost and found involve student information, the others largely involve public employee data.
The UNM Information Security & Privacy Office is working with UNMPD to determine the details and the potential impact. UNM considers the security of information and information systems on our campus to be essential, and we take such incidents very seriously.
What IT knows, is that on or about 6/30/2020, Netsential, a vendor that maintains UNM Police Department’s (UNMPD) web services, informed UNM that UNMPD web services had been broken into as part of the “Blueleaks” attacks on law enforcement servers. The vendor informed UNM that there was one limited data set that may have been exposed, but that there was no evidence that other information had been accessed. On 10/6/2020, UNM learned that UNM PD’s bicycle registry data had been accessed and posted on a “Blueleaks” web site in another country. The “Blueleaks” attacks disclosed information about law enforcement officers. PII for UNM students does not appear to have been intended to target the “Blueleaks” attacks. No malicious use of this information is known to have taken place.
UNM is in the process of notifying the individuals affected by this breach. In addition, Netsential is working with law enforcement agencies to investigate how access occurred. As an interim measure, Netsential has implemented new steps to improve the security of information for which they are responsible.
UNMPD is working with IT service providers within UNM to assess the needs for web sites and web forms to provide a more secure longer-term solution.