ST. LOUIS (KMOV.com) – A series of email phishing attacks gave cybercriminals access to thousands of St. Louis Community College students’ private data.
The college said the attacks targeted former and current students and employees and gave the criminals access to the data stored in their email accounts. The sensitive information accessed included names, student identification numbers, dates of birth, addresses, phone numbers, and email addresses. In total, 5,127 individuals had their information exposed, of those, 71 people had their Social Security Numbers compromised.
St. Louis Community College officials said some of the accounts were secured within 24 hours of the incident and all accounts were secured within 72 hours.
The data breach was discovered on Jan. 13 after the college says an employee clicked on an attachment from a bogus email. The college is currently in the process of notifying anyone who was affected by the breach.
"Colleges are well under attack. Criminals are very interested in getting our email addresses," Chief Information Officer Keith Hacke said. "They want to use those email addresses to get things at discount that students get."
Officials said it took them three weeks to fully understand what exactly happened and to accurately identify those who were affected. Officials said there are no sings that any money had been stolen from student or employee accounts.
"We do not see any information that that happened and we offering credit protection for those who had their Social Security numbers compromised," Hacke said.
St. Louis Community College was in the process of implementing a new security measure that would require anyone access email from off campus to enter a code sent to their cellphone. That would have stopped the cybercriminals but the new security step didn’t start till after the security breach happened.
The Department of Education’s Office of Inspector General and the Family Policy Compliance Office have been notified of data breach, according to the college. In addition, all faculty and staff will be re-trained within 30 days on the handling and sharing of sensitive information.