Student, family data exposed in Oregon State cyberattack

OSU officials say the data of 636 students, prospective students and family members was exposed to hackers engineering a phishing attack.
Oregon State University
Oregon State University

Oregon State University disclosed Friday that personal data from 636 student and family records were potentially exposed in a recent cyberattack.

The email of an employee working within the university’s Office of Enrollment Management was hacked in early May, Steve Clark, a university spokesman, told EdScoop. The incident potentially exposed the names, birthdates, addresses and Social Security numbers of students, prospective students and their family members.

“We have no evidence that those files were viewed or used but we felt it appropriate to inform people,” Clark said. “This was a sophisticated attempt by an individual or individuals, not to gain data, but to utilize Oregon State University’s email to send out phishing emails to other people an institutions.”

In the past, Clark said, there have been a handful of incidents in which OSU email accounts were used by hackers to legitimize and spread phishing emails, but swift action had always been taken. However, he said during his eight years at OSU, he has never known of a similar incident in which personal information was compromised.


“We live in a world where these types of events are going to occur and we need to be aware of them and address them in an effective and transparent way,” Clark said. “That’s what we’ve sought to do.”

OSU said in a statement that, in light of the recent incident, administrators will be reviewing the protection procedures and IT systems the university uses to guard its information systems, email accounts, and student and family records.

Recently the university updated its identity verification system, Clark said. Users are now required to authenticate who they are each day to protect sensitive information and alert the university of hacking attempts.

“While it did not prevent the sophisticated attack from occurring, that system was able to notify us that the attack had occurred in a timely way,” Clark said.

The school also restricts which employees have access to certain kinds of data in order to keep student information safe.


OSU is continuing to investigate whether the hacker viewed or copied documents with personal information, Clark said, adding that the university is now working with the FBI and local law enforcement.

To those affected by the incident, the university has offered those information and services, including 12 months of free credit-monitoring services that the university is required by state’s data breach notification law to provide.

Betsy Foresman

Written by Betsy Foresman

Betsy Foresman was an education reporter for EdScoop from 2018 through early 2021, where she wrote about the virtues and challenges of innovative technology solutions used in higher education and K-12 spaces. Foresman also covered local government IT for StateScoop, on occasion. Foresman graduated from Texas Christian University in 2018 — go Frogs! — with a BA in journalism and psychology. During her senior year, she worked as an intern at the Center for Strategic and International Studies in Washington, D.C., and moved back to the capital after completing her degree because, like Shrek, she feels most at home in the swamp. Foresman previously worked at Scoop News Group as an editorial fellow.

Latest Podcasts