The University of Michigan says in a statement today that they suffered a data breach after hackers broke into its network in August and accessed systems with information belonging to students, applicants, alumni, donors, employees, patients, and research study participants.
August was almost 3 months ago, did they just find out now?
Possibly. University networks can be complicated. You have a large number of students who change yearly, a large group of faculty who tend to enjoy more privileges and autonomy than a corporate employee, lots of different IT departments, lots of tech debt and legacy apps/equipment, likely not enough funding and typically a difficulty attracting and keeping IT professionals who can usually make more money in a corporate job…
And even if they did catch it immediately it takes time to assess the breach, talk with lawyers and law enforcement, determine the scope of the issue, contract a company to assist with notification requirements, identify everyone whose data was breached, identify likely addresses for those people, draft notification letters and press releases, get those drafts approved, etc.
No, they’re just releasing information now. Bleeping Computer wrote this when the incident first happened: https://www.bleepingcomputer.com/news/security/university-of-michigan-shuts-down-network-after-cyberattack/
It’s not that they just found out, but more that they have combed through and prepared all of the information they could legally release.