Butler University in Indianapolis has told 163,000 staff and students including those connected to the institution in the past that a data breach dating back to 2013 could have compromised their personal details.
In a letter sent to employees and alumni by president Jim Danko, the University said it had learned of the possible breach a month ago after being contacted by police in California who had detained a suspect carrying a flash drive on which employee data was found.
The University carried out a forensic investigation, tracing the attack to between November 2013 and May this year. Stolen data included names, dates of birth, social security numbers and driver's licenses, he said.
"Third-party computer forensics experts were retained by Butler University to confirm these findings and to confirm the full extent of data potentially exposed as a result of this incident," said Danko in the letter.
US media reports have connected the breach to anecdotes of identity theft, which will raise concerns about how long the data has been in the hands of hackers. The University is offering everyone affected identity theft insurance and monitoring.
What hasn't yet been revealed is how the hackers penetrated security without being detected. Had police in another state not detained a suspect who happened to be carrying the flash drive the attack would still not be known about.
While data breaches have become a weekly event across a range of sectors, US universities seem to have become a particular target for hackers. They have everything hackers seek, including a user base running into tens or even hundreds of thousands, affluent enough to make identity theft an attractive business.
Other notable recent breach victims in this sector have included the University of Maryland, which revealed an attack affecting 309,000 students in February of this year.
Sign up for CIO Asia eNewsletters.