[BreachExchange] Three U.S. Universities Disclose Data Breaches Over Two-Day Span

Destry Winant destry at riskbasedsecurity.com
Tue Jun 18 10:21:54 EDT 2019 

https://www.bleepingcomputer.com/news/security/three-us-universities-disclose-data-breaches-over-two-day-span/

Three U.S. universities have disclosed data breach incidents impacting
personally identifiable information of students or employees following
unauthorized access to some of their employees' email accounts.

All three universities — Graceland University, Oregon State
University, and Missouri Southern State University — have notified the
individuals whose personal information was potentially stolen or
accessed about the security incidents.

In addition, no evidence has been found of the impacted personal
information being stolen or used in a malicious manner while
investigating the disclosed data privacy incidents involving all three
universities.

Graceland University says in a notice of data breach published on June
14 that an "unauthorized user gained access to the email accounts of
current employees," on March 29, 2019, as well as "from April 1-30 and
April 12-May 1, 2019, respectively."

As the university discovered during the breach investigation, "the
personal information of some people who had interacted with these
email accounts over the past several years was available during the
time the unauthorized user(s) had access."

The information that could have been accessed during the incident contained:

• full name
• social security number
• date of birth
• address
• telephone number
• email address
• parents/children
• salary information
• financial aid information for enrollment or possible enrollment at Graceland

Oregon State University (OSU) states in a press release that "636
student records and family records of students containing personally
identifiable information were potentially affected by a data privacy
incident that occurred in early May."

OSU says that a joint investigation carried out with the help of
forensics specialists found that an employee's hacked email account
containing documents with the info of the 636 students and their
family members was also used by the attackers to "send phishing
e-mails across the nation."

As detailed by Steve Clark, OSU's VP for university relations and marketing:

OSU is continuing to investigate this matter and determine whether the
cyber attacker viewed or copied these documents with personal
information.

According to Clark, the university is also reviewing the protection
systems and procedures used to shield OSU's e-mail accounts and
information systems.

Missouri Southern State University (MSSU), the third entity which
reported a breach, states in a notice of data breach sent to the
Office of the Vermont Attorney General that it was alerted of a
possible cyber attack triggered by a phishing email on January 9.

The phishing attack made several victims among the university's
employees which prompted a law enforcement notification. The
university officials were told afterward to delay notification of
affected individuals until investigations are complete.

MSSU also hired a leading forensic investigation firm to look into the
security incident and to "block potential email exploitation,
including a mass password reset of all employee Office 365 accounts."

After analyzing the contents of the impacted Office 365 accounts, MSSU
found that the emails contained within stored "first and last names,
dates of birth, home addresses, email addresses, telephone numbers,
and social security numbers."

As further explained in the data breach notification send to the
Vermont Attorney General by MSSU:

In late March, April, and early May, the University identified emails
containing personal information that may have been compromised by the
attack. In mid-May, the University confirmed that your first and last
name and social security number were contained in the impacted
accounts.

BleepingComputer has reached out to Graceland University, Oregon State
University, and Missouri Southern State University for additional
comments, but had not heard back at the time of this publication.

________________________________

Update June 17: Mike Olmstead, Missouri Southern State University's
Director of News Services & Messaging, sent an official statement from
the university:

Missouri Southern State University was the victim of a cybersecurity
attack on January 9, 2019. The University responded quickly and
engaged a leading forensic investigation firm to help stop the attack
and provide subsequent investigation services. The University notified
the Federal Bureau of Investigation Cyber Crime Task Force and the
Missouri Attorney General’s Office about the incident. The University
worked diligently to notify all impacted individuals once the results
of its investigation had been communicated to law enforcement. The
notification letters were mailed to all impacted individuals on June
13, 2019, and the University has offered all impacted individuals 24
months complimentary credit monitoring.

More information about the BreachExchange mailing list