Oregon State University disclosed Friday that personal data from 636 student and family records were potentially exposed in a recent cyberattack.
The email of an employee working within the university’s Office of Enrollment Management was hacked in early May, Steve Clark, a university spokesman, told EdScoop. The incident potentially exposed the names, birthdates, addresses and Social Security numbers of students, prospective students and their family members.
“We have no evidence that those files were viewed or used but we felt it appropriate to inform people,” Clark said. “This was a sophisticated attempt by an individual or individuals, not to gain data, but to utilize Oregon State University’s email to send out phishing emails to other people an institutions.”
In the past, Clark said, there have been a handful of incidents in which OSU email accounts were used by hackers to legitimize and spread phishing emails, but swift action had always been taken. However, he said during his eight years at OSU, he has never known of a similar incident in which personal information was compromised.
“We live in a world where these types of events are going to occur and we need to be aware of them and address them in an effective and transparent way,” Clark said. “That’s what we’ve sought to do.”
OSU said in a statement that, in light of the recent incident, administrators will be reviewing the protection procedures and IT systems the university uses to guard its information systems, email accounts, and student and family records.
Recently the university updated its identity verification system, Clark said. Users are now required to authenticate who they are each day to protect sensitive information and alert the university of hacking attempts.
“While it did not prevent the sophisticated attack from occurring, that system was able to notify us that the attack had occurred in a timely way,” Clark said.
The school also restricts which employees have access to certain kinds of data in order to keep student information safe.
OSU is continuing to investigate whether the hacker viewed or copied documents with personal information, Clark said, adding that the university is now working with the FBI and local law enforcement.
To those affected by the incident, the university has offered those information and services, including 12 months of free credit-monitoring services that the university is required by state’s data breach notification law to provide.