Security | News
Northwest Florida State College Data Breach Compromises 300,000 Students and Employees
In a recent data breach at Northwest Florida State College (NWFSC) the personal information of nearly 300,000 people, including 200,000 who may have had no connection to the school, was stolen. Individuals affected include approximately 76,000 former or current students, 3,200 current or retired employees, and 200,000 students who were eligible for Bright Futures scholarships in the school years beginning in 2005 and 2006.
The compromised data of Bright Futures students (who may be attending NWFSC or other Florida state colleges or universities) included names, Social Security numbers (SSN), birthdates, gender, and ethnicity. Leaked information about NWFSC students included names, addresses, SSNs, and birthdates. In addition to names, birthdates, and SSNs, the stolen employee data included direct deposit routing and account numbers.
"Approximately 50 employees to date have reported issues with identity theft, including the college president, faculty, and staff," according to information released by the school.
The breach, which occurred between May 21 and September 24, was uncovered by an internal review by the school in early October. After becoming aware of the breach, NWFSC launched an investigation with an outside consultant and an Okaloosa County Sheriff's Office cybercrimes expert.
"We speculate that this was a professional, coordinated attack by one or more hackers," said NWFSC President Ty Handy in a letter to school employees. "We believe that the hackers are having to do specific work to pull together enough information about an individual employee to steal their identity. We do not believe that they have accessed this information on all 3,200 individuals in the file, but that the potential does exist."
Handy also said in the letter that the breach included a folder from the school's main server that included several files.
"No one file had a complete set of personal information regarding individuals," Handy said in a prepared statement. "However, by working between files, the hacker(s) have been able to piece together enough information to be able to engage in identity theft for at least 50 employees."
In the cases of identity theft stemming from the breach, the hackers have taken out loans through PayDayMax or Discount Advance Loans, which are then repaid through the employee's personal bank accounts. The hackers have also applied for and used Home Depot credit cards.
In a news release about the incident, Handy also said "Some employees had the bank account where they receive direct deposit of their pay checks accessed and funds removed" in addition to the fraudulent credit cards and accounts.
On a Web site created to share information about the breach, NWFSC has suggested that individuals affected place a fraud report with one of the three credit reporting agencies. The school has also asked that students, employees, and Bright Future scholars who have been the victim of identity theft contact the dean of students, human resources, and an 800 number, respectively. The Web site also includes information on how to protect your identity, what to do once your personal information is compromised, and links to Federal Trade Commission information and the Identity Theft Assistance Center.
"As we determine the full scope of the matter, we will be able to issue the more formal notifications," Handy said in the release, which was issued on October 10. "We hope, by the end of this week to know precisely which persons have had their information compromised."
As for future attacks, Handy said, "The integrity of the NWFSC system has been restored and there is no indication of any additional instances of compromise of personal information."
Part of the Florida College System, Northwest Florida State College enrolls approximately 17,000 students and offers bachelor's and associate degrees and certifications.
More information about the breach, and steps the school is taking to deal with it, is available at nwfsc.edu/security.