St. Louis Community College, a four-campus system with more than 50,000 students, announced Tuesday that a successful phishing campaign last month compromised the personal information of more than 5,000 students and employees.
The college issued a notice that “a series of email phishing attacks” discovered on Jan. 13 resulted in the exposure of names, student ID numbers, dates of birth, addresses, home phone numbers, cell phone numbers, and college and personal email addresses for 5,127 people. Of those affected, 71 also had their Social Security numbers compromised.
“There was a phishing email sent,” said Nez Savala, the college’s communications manager. “About 20-some people fell for it and that gave whoever was on the other end access to information that was stored in their email which led to access to student and employee information.”
Those who clicked on the phishing links will be retrained on how to identify suspicious emails, a training session that all staff currently undergo annually, Savala said. Additionally, she said, all staff will be trained within the next 30 days on how to handle and share sensitive information.
Unfortunately for the college, the attacks came as it implementing multi-factor authentication for its email platform, a measure that may have prevented exposure of personal information. That functionality, however, was not launched until Jan. 31, Savala said.
To respond to the incident, the school notified those affected by email and traditional mail, set up a call center to field questions and offered free credit monitoring to those whose Social Security information has been exposed.
To explain the delay between identifying the incident on Jan. 13 and its public notice on Feb. 4, the college explained that first “several action steps needed to be taken.”
“For example, information needed to be collected and analyzed from multiple systems to identify all of the impacted individuals and ensure the accuracy of the information that was contained in employee email accounts,” the notice states.
The college reports it’s notified the Department of Education’s Office of Inspector General and the Family Policy Compliance Office and that it will continue to investigate the incident.
Phishing emails are a common attack vector in K-12 and higher education institutions. A similar scam, called a business email compromise, resulted last month in the theft of $2.3 million at a K-12 district in Texas.