[BreachExchange] Phishing attack exposes data for over 5, 000 people at St. Louis Community College

Destry Winant destry at riskbasedsecurity.com
Wed Feb 5 10:16:19 EST 2020 

https://www.kmov.com/news/phishing-attack-exposes-data-for-over-people-at-st-louis/article_4902989e-4772-11ea-a141-e720a9018fd5.html

ST. LOUIS (KMOV.com) – A series of email phishing attacks gave
cybercriminals access to thousands of St. Louis Community College
students’ private data.

The college said the attacks targeted former and current students and
employees and gave the criminals access to the data stored in their
email accounts. The sensitive information accessed included names,
student identification numbers, dates of birth, addresses, phone
numbers, and email addresses. In total, 5,127 individuals had their
information exposed, of those, 71 people had their Social Security
Numbers compromised.

St. Louis Community College officials said some of the accounts were
secured within 24 hours of the incident and all accounts were secured
within 72 hours.

The data breach was discovered on Jan. 13 after the college says an
employee clicked on an attachment from a bogus email. The college is
currently in the process of notifying anyone who was affected by the
breach.

"Colleges are well under attack. Criminals are very interested in
getting our email addresses," Chief Information Officer Keith Hacke
said. "They want to use those email addresses to get things at
discount that students get."

Officials said it took them three weeks to fully understand what
exactly happened and to accurately identify those who were affected.
Officials said there are no sings that any money had been stolen from
student or employee accounts.

"We do not see any information that that happened and we offering
credit protection for those who had their Social Security numbers
compromised," Hacke said.

St. Louis Community College was in the process of implementing a new
security measure that would require anyone access email from off
campus to enter a code sent to their cellphone. That would have
stopped the cybercriminals but the new security step didn’t start till
after the security breach happened.

The Department of Education’s Office of Inspector General and the
Family Policy Compliance Office have been notified of data breach,
according to the college. In addition, all faculty and staff will be
re-trained within 30 days on the handling and sharing of sensitive
information.

More information about the BreachExchange mailing list