The University of Michigan says in a statement today that they suffered a data breach after hackers broke into its network in August and accessed systems with information belonging to students, applicants, alumni, donors, employees, patients, and research study participants.
Possibly. University networks can be complicated. You have a large number of students who change yearly, a large group of faculty who tend to enjoy more privileges and autonomy than a corporate employee, lots of different IT departments, lots of tech debt and legacy apps/equipment, likely not enough funding and typically a difficulty attracting and keeping IT professionals who can usually make more money in a corporate job…
And even if they did catch it immediately it takes time to assess the breach, talk with lawyers and law enforcement, determine the scope of the issue, contract a company to assist with notification requirements, identify everyone whose data was breached, identify likely addresses for those people, draft notification letters and press releases, get those drafts approved, etc.