Oregon State University breach exposed student, family data

OSU is one of several US universities impacted by data breaches in recent weeks.
Written by Charlie Osborne, Contributing Writer

Oregon State University (OSU) has revealed a recent data breach which may have exposed information belonging to students and their families.

The US university said last week that 636 student records and family records containing Personally identifiable information (PII) have potentially been placed at risk due to a security incident which took place in May.

OSU has not revealed what PII was involved, but in general terms, PII can include names, addresses, telephone numbers, Social Security numbers, and more. Financial records are not generally considered an aspect of PII in data leaks.

The Corvallis Advocate, however, reports that "names, birthdates, and Social Security numbers of both current and prospective students as well as their family members" may have been exposed.

A successful phishing campaign has been blamed, in which an OSU employee fell prey to a scheme which compromised their email account. The staff member in question had stored the records in their email inbox.

TechRepublic: Magecart attack: What it is, how it works, and how to prevent it

"OSU is continuing to investigate this matter and determine whether the cyber attacker viewed or copied these documents with personal information," said Steve Clark, OSU's vice president for university relations and marketing. "While we have no indication at this time that the personal information was seen or used, OSU has notified these students and family members of this incident."

Credit monitoring services are on offer for those affected and a helpline has been established for students and their families. OSU added that the academic institution is conducting a review of its IT system security in light of the breach.

OSU is not the only US university or college to admit to a data breach in recent weeks. Earlier this month, Graceland University said there have been three cases of an unauthorized user gaining access to email accounts belonging to employees.

See also: Have I Been Pwned: It's time to grow up and smell the acquisition potential

The accounts were accessible from "March 29, 2019, and from April 1 -- 30 and April 12 -- May 1, 2019," according to Graceland. The potential victims involved are those who "had interacted with these email accounts over the past several years."

The university did not reveal how many records had been exposed due to the unauthorized entry but Graceland did say that PII including names, Social Security numbers, dates of birth, addresses, telephone numbers, salary data, and financial aid information could have been compromised.

Missouri Southern State University, too, revealed last week that employee Microsoft 365 Office accounts had been targeted in a phishing campaign. The data breach, which occurred in January 2019, was caused by "several" staff members falling for the phishing attempt and potentially led to their accounts becoming compromised.

CNET: Black Hat cancels Rep. Will Hurd's headline speech after Twitter backlash

Names, dates of birth, addresses, telephone numbers, and Social Security numbers have potentially been leaked or stolen due to the cyberattack. The university has hired a cyberforensics company and has promised to provide free credit monitoring for those affected.

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards