Security

E-mail Hack Exposes Student Data at Oregon State

• By Dian Schaffhauser
• 07/08/19

A mid-June data breach at Oregon State University exposed personally identifiable information of 636 students and their families. According to the university, the data breach occurred when an employee's e-mail account was hacked by external people and used to send phishing e-mails across the country. The early investigation by the university IT organization and outside forensics specialists found several documents in the employee's inbox containing the personal information.

The institution said it was "continuing to investigate this matter and determine whether the cyber attacker viewed or copied these documents." All those possibly affected have been notified, the university reported, and they've been offered credit monitoring services for the next year.

The school added that it was also reviewing "the many protection procedures and IT systems the university uses to guard its information systems, e-mail accounts, and student and family records" and would continue monitoring "such efforts and systems, and take further steps to protect the university's information technology and sensitive data."

Outside security experts expressed concern about the lack of detail in the university's explanation. "An effective DNS security layer would have been able to quickly show if any data was sent out of the network," said Cath Goulding, chief information security officer at Nominet, a company that sells such security products, in a statement.

"Academic institutions are a growing target because they hold personally identifiable information for tens of thousands of students, employees, donors and partners. Once it reaches the dark web, this PII can be used for identity theft, synthetic identity creation and robotic account takeovers. Malicious actors can create sophisticated phishing attacks given information available from other data breaches, which is what makes this type of attack so dangerous," added Ben Goodman, senior vice president at security company ForgeRock. "Education institutions must keep pace with attackers by educating their employees to prevent these attacks, while utilizing modern behavioral analytics, 'Know Your Customer' and identity-proofing tools to fight against fraudsters."