Oregon State University was sending phishing emails around the nation on behalf of hackers who broke into an OSU email inbox.
The university, located about 90 minutes southwest of Portland, just announced the data breach, which happened in May 2019.
"An OSU employee’s e-mail account was hacked by individuals outside the university and used to send phishing e-mails across the nation. An investigation by OSU and forensics specialists found several documents in the inbox of the OSU employee’s e-mail account that had personal information of 636 students and family members of students."
Thankfully, that is a small number of student and family records compared to overall enrollment, which is more than 29,000 students right now.
Now the question remains: did hackers go after personal data, or did they just want a legitimate email account that could easily send phishing emails to other targets? Or was it both?
"OSU is continuing to investigate this matter and determine whether the cyber attacker viewed or copied these documents with personal information," said Steve Clark, the vice president for university relations and marketing. “While we have no indication at this time that the personal information was seen or used, OSU has notified these students and family members of this incident."
A growing number of colleges, universities, and school districts are being targeted in cyberattacks.
Cybersecurity company Mimecast, for example, recently found that 56% of organizations in the education sector saw an increase in phishing with malicious links or attachments in the last year.
The families impacted in the Oregon State University data breach are being offered a year of free credit monitoring.
