A Spate of University Breaches Highlight Email Threats in Higher Ed

university data breaches phishing

Students at Oregon State University, Graceland University and Southern Missouri State have all been impacted by email attacks against school employees.

Oregon State University announced Friday that hackers potentially made off with 636 student records and family records of students containing personally identifiable information (PII), after a successful email attack in early May.

This comes on the heels of email-based breaches at Graceland University in Iowa and Missouri Southern State University.

“An OSU employee’s e-mail account was hacked by individuals outside the university and used to send phishing e-mails across the nation,” the university said, in a website notice. “An investigation by OSU and forensics specialists found several documents in the inbox of the OSU employee’s email account that had personal information of 636 students and family members of students.”

Steve Clark, the university’s vice president for university relations and marketing, said in a media statement that the school is still investigating and hoping to determine for certain whether or not the cyberattackers actually saw and copied the PII.

“We will continue to monitor such efforts and systems, and take further steps to protect the university’s information technology and sensitive data,” he said. OSU didn’t specify what kind of email attack it was, or what information was potentially impacted. Clark did not immediately respond to a request for more information.

Meanwhile, Graceland University in Iowa said last week that attackers were able to gain access to the email accounts of three current employees, which would have given them access to the victims’ messages and attachments. The adversaries had access to the individual accounts on March 29 for one, the month of April for another, and April 12 to May 1 for the third.

“The accounts have now been secured, however, it has been determined that the personal information of some people who had interacted with these email accounts over the past several years was available during the time the unauthorized user(s) had access,” the university said in its notice. “Graceland has attempted to send a physical letter to each of these individuals using the address on file.”

The information that could have been compromised includes name, Social Security number, date of birth, address, telephone number, email address, names of victims’ parents and children, salary information and financial aid information for enrollment or possible enrollment at Graceland.

“Graceland does not have any evidence at this time that this information was, in fact, stolen or has been used in a malicious manner, however, we cannot be certain of the extent of the unauthorized user’s intentions,” it noted.

Southern Missouri State, for its part, said last week that “several employees” fell victim to a phishing effort in January, which ended in the compromise of Office 365 accounts. It said that name, Social Security number, date of birth, address, telephone number and email address were potentially exposed.

While the institution said in its notification letter that it detected the issue months ago, it noted that it was directed by law enforcement to delay victim notification until just recently, while the investigation was going on.

As for how the attacks played out, none of the universities offered much detail. But a recent look at the Dark Web by an academic team found that vendors often offer access tools for specific verticals, with banking and finance (29 percent), healthcare (24 percent), ecommerce (16 percent), and education (12 percent) corporate networks being the most common.

Some methods for providing access involved stolen remote access credentials, backdoor access or the use of malware like remote access trojans or keyloggers, the report found. However, phishing remains a preferred method for infiltrating networks, with dark-net vendors offering vertical-specific kits and tutorials to create convincing lures for phishing campaigns using genuine-looking invoices and documentation.

“Purchasing corporate invoices is easy on the dark net, with prices ranging from $5-$10,” Mike McGuire, a criminology lecturer at the University of Surrey in the UK, said in the report. “These documents can be used to defraud organizations or as part of phishing campaigns to trick employees into opening malicious links or email attachments, which deliver malware that triggers a breach or gives hackers a backdoor into corporate networks which could be sold on the dark net.”

The higher education landscape is a target-rich environment that criminals are increasingly going after. According to Mimecast’s State of Email Security report, which took a look at email attacks in the education sector in particular, a full 56 percent of organizations in the vertical saw an increase in phishing with malicious links or attachments in the last year; another 67 percent saw an increase in impersonation fraud. Over a third of the victims of the latter (38 percent) experienced data loss following an email-based impersonation attack.

Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts from Malwarebytes, Recorded Future and Moss Adams as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.