Oregon State University (OSU) has disclosed a security incident that potentially affected the personally identifiable information of some students and their families.
On 14 June, OSU announced that the security incident occurred back in May when external actors hacked a university employee's email account. At the time of compromise, the email account contained the personal information of approximately 636 students and families, as determined by a forensic analysis conducted by Oregon State University. It's possible the external actors accessed this information while they abused the hacked email account to send phishing emails around the country. Steve Clark, vice president for university relations and marketing at Oregon State University, said the university is still in the process of verifying whether such exposure did indeed occur. As quoted in the university's statement:
While we have no indication at this time that the personal information was seen or used, OSU has notified these students and family members of this incident. And we have offered information about support services that are available, including 12 months of credit monitoring services that the university will enable at no cost.
Additionally, Clark said that the university is actively reviewing the policies it uses to safeguard its information systems and that the school intends to implement additional measures designed to protect its IT assets and stored data going forward. OSU isn't the first university that's suffered a data breach in recent memory. In early June, for instance, Australia National University (ANU) disclosed a data breach that affected some information of its community members dating back 19 years. News of this incident came just a few months after the Georgia Institute of Technology, better known as Georgia Tech, confirmed that a security incident potentially exposed the personal data of as many as 1.3 million users. This was just less than a year after the Information Commissioner’s Office (ICO) fined the University of Greenwich £120,000 for a “serious” security breach of personal data. These security incidents all highlight the need for universities to strengthen their digital security postures by applying least privilege principles across their entire networks. Additional best practices can be found here.
