Campus Alert Archive
CMU

Carnegie Mellon Confirms a Data Breach at the University That Hosts the CERT Coordination Center

PAinfrastructure failureadvisoryhigh confidence
Confirmed Threat

Carnegie Mellon University — home of the CERT Coordination Center and one of the country's leading cybersecurity research universities — confirmed on October 13, 2023, that an unauthorized party had accessed its network between August 25 and August 31, 2023, exposing personal information of an undisclosed number of students, faculty, and staff. The disclosure landed weeks after internal IT notices about disruptions to CMU email and Single Sign-On in early September and prompted a unusually pointed Tartan editorial noting that the university 'literally invented modern incident response' but took six weeks to tell its own community what happened.

Alerts
2
Response
min
Killed
0
Injured
0
Institution
Carnegie Mellon University
Private R1 · PA
~15,818 studentsCMU Alert
Confirmed Timeline

Alert Sequence

2 messages in sequence · 1 verified verbatim

Some alert texts below are approximate reconstructions from news coverage, not confirmed verbatim transcripts. Reconstructed texts are shown in italic with a dashed border. Verified verbatim texts have a solid border and are marked accordingly.

INITIAL ALERTEmail
Approximate reconstructionReconstructed from CMU Information Security Office status page and The Tartan coverage of the September 1 outage478 chars
CMU community: Information Security Office is investigating a service disruption affecting Single Sign-On, Andrew email, and several enterprise applications. Some users may be prompted to re-authenticate or may temporarily lose access. ISO has implemented additional security controls. We recommend that you avoid logging in from public Wi-Fi networks until further notice and enable multi-factor authentication if you have not already. Updates will be posted to status.cmu.edu.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

Notice doesn't acknowledge a breach but quietly implements 'additional security controls' — the standard pattern between intrusion containment and public disclosure.
Recommending MFA 'if you have not already' was a tell that MFA was not yet universal at CMU even in 2023.
FOLLOW-UPEmail+42d
Verified verbatimCarnegie Mellon University — official data security incident notice, October 13, 2023824 chars
Carnegie Mellon University is writing to inform you of a data security incident that may have involved some of your personal information. Between August 25, 2023 and August 31, 2023, an unauthorized party gained access to certain CMU systems. Upon discovery, CMU immediately took steps to contain the incident, engaged leading forensic investigators, and notified law enforcement. We have determined that the personal information that may have been accessed includes name, contact information, date of birth, and, for a smaller subset of individuals, Social Security number, financial account information, and protected health information. CMU is offering two years of complimentary credit monitoring and identity theft protection through Kroll. The CMU Alert emergency notification system was not affected by this incident.
Affirmative statement that CMU Alert was not affected — a notable choice at the university that hosts CERT/CC and is publicly accountable for cybersecurity best practice.
Six-week gap between containment (Aug 31) and public disclosure (Oct 13) is at the long end of the industry norm; Pennsylvania's breach-notification statute requires notice 'without unreasonable delay' but specifies no fixed timeline.
Friday-afternoon disclosure timing follows the same news-cycle minimization seen at Stanford and N.C. A&T.
Context

Background

Carnegie Mellon's Software Engineering Institute hosts the CERT Coordination Center — literally the organization that defined modern incident response after the 1988 Morris Worm. So when the university itself was breached in late August 2023, the disclosure landed with extra scrutiny. The intrusion window was August 25 through August 31, 2023; CMU's Information Security Office quietly implemented 'additional security controls' on September 1, prompting a noticeable disruption to Single Sign-On and Andrew email that students discussed openly without knowing what had happened. The formal disclosure came six weeks later on Friday afternoon October 13, 2023. The Tartan, CMU's student newspaper, criticized the delay. No ransomware group claimed the attack publicly; CMU has never named the threat actor. The CMU Alert emergency-notification system ran on a separate identity tier and was not affected — a fact the disclosure called out explicitly, addressing the lesson learned at Bluefield and elsewhere about alert-system isolation.
Analysis

Key Findings

Intrusion window: August 25-31, 2023 (six days), with containment on August 31 — a relatively short dwell time compared to Stanford's 138-day Akira intrusion.
Six-week gap between containment and public disclosure drew unusual scrutiny because CMU is the home of CERT/CC.
CMU Alert emergency-notification system was explicitly not affected — alert-system isolation has become a standard disclosure point post-Bluefield.
No ransomware group ever claimed the attack publicly; CMU has not named the threat actor.
Outcome
CMU engaged outside counsel and forensic investigators, contained the intrusion by August 31, 2023, and disclosed publicly on October 13. The CMU Alert emergency notification system was not affected. Affected individuals received written notices with two years of credit monitoring through Kroll.
Provenance

Sources

  1. Official
    CMU Data Security Incident Notice — Carnegie Mellon University News
    cmu.edu
  2. national media
    Carnegie Mellon discloses data incident affecting personal information — BleepingComputer
    bleepingcomputer.com
  3. Student Paper
    Single Sign-On disrupted by 'service issue' across campus — The Tartan
    thetartan.org
  4. Student Paper
    Editorial: Six weeks is too long — The Tartan
    thetartan.org
Tags
cyberattackdata-breachpennsylvaniaprivate-r1cert-cc-hostsingle-sign-on-outagealert-system-isolatedinfrastructure-failure
Added May 2026Updated May 2026Via ingestion