Ransomware: About 8,000 people with some association to Napa Valley College recently received letters informing them of a possible data breach of personal information that occurred during the ransomware attack that struck NVC in June. The community college, once aware of the cyberattack that shut down the NVC website and network systems, worked with a third-party forensic firm to investigate, the letter says. On Aug. 18, the college subsequently discovered “a limited amount of personal information may have been accessed by an unauthorized third party in connection with this incident.” https://napavalleyregister.com/news/local/napa-valley-college-ransomware-attack-caused-possible-data-breach/article_3b513604-32e5-11ed-b1be-7320a5ae9549.html 2FF1D59F-DAC4-40F2-8B94-6FA05B27F927 Mon, 12 Sep 2022 12:53:47 -0500 Cyberattack: People involved with Franklin College may have had personal data revealed to hackers that breached the school’s network with a malicious code attack. The attack occurred on Jan. 21, and college officials held back information to determine through an investigation what data might have been taken. After an investigation was completed in June, college officials sent out a letter to individuals who could have been impacted on Aug. 29. The letter says information taken may have included the names and driver’s license or state identification numbers of people involved with Franklin College. Information taken in the breach may also include social security numbers, according to Turke and Strauss LLP, a Madison, Wisconsin-based data breach law firm investigating the breach. https://dailyjournal.net/2022/09/08/nearly-6000-impacted-by-franklin-college-hack/ 69FA1028-1388-441D-B449-879E94ACD629 Thu, 8 Sep 2022 10:15:43 -0500 Ransomware: Savannah College of Art and Design (SCAD) -- an acclaimed art school in the U.S. serving more than 15,000 students -- suffered a ransomware attack that leaked the sensitive information of hundreds of people. A spokesperson for the school told The Record that it recently discovered a hacker had gained access to SCAD’s information network systems. They did not say what information was accessed. https://therecord.media/ransomware-attack-on-leading-georgia-art-college-leads-to-data-leak/ 2D101F76-09F4-40C6-A923-32FE3ABF1388 Tue, 6 Sep 2022 13:44:23 -0500 Data Breach: Tulsa Tech says someone stole data belonging to students who were enrolled in its classes between 1986 and 1999. According to the school, someone accessed the district's systems in June and took files from the network, including the names and Social Security numbers of students. Tulsa Tech sent out letters on August 18th to students who may have been impacted by the breach. https://www.newson6.com/story/63108358ff2538070b06b321/tulsa-tech-hit-by-data-breach- 8F1212B1-E703-41E3-983D-91523A6B3C55 Thu, 1 Sep 2022 09:44:12 -0500 Cyberattack: Days before classes started, Sierra College’s systems were hacked, school officials told FOX40 News Tuesday. According to campus officials, the cyberattack on Saturday gave the school “limited access to technology and data resources” throughout the Sierra Joint Community College District. “After we learned of the incident, we took immediate actions to protect data and recover systems as quickly as possible,” the officials said in a statement. “A professional third-party forensic firm has engaged to investigate and determine the scope of the incident.” https://fox40.com/news/local-news/placer-county/sierra-college-hacked-days-before-fall-semester-begins/ 132EA88E-A316-4B94-8C07-8DC0AA942DCD Tue, 23 Aug 2022 08:41:37 -0500 Ransomware: A ransomware attack has crippled Whitworth University's computer network and left students scrambling to make plans and find information for the coming school year. On July 29, the school's website went down. So did the entire campus network. Two weeks later, with the website still on the fritz, the school directed students to a barebones, temporary website for contact details and other essential information. On Aug. 10, LockBit, a prominent ransomware group, claimed responsibility for the cyberattack. https://www.inlander.com/spokane/whitworth-students-feel-left-in-the-dark-as-ransomware-attack-cripples-the-schools-computer-network/Content?oid=24394492 CC488501-79C4-4E9C-B6E1-6DC9C91F1375 Wed, 17 Aug 2022 08:48:13 -0500 Cyberattack: A local university was hit with a cyberattack that has left it with embarrassing and inappropriate pictures on their social media account that they can’t take down. Thomas Moore University’s Facebook account was hacked, and all of their account managers are locked out. “About three weeks ago we got a notice that told us all of the university administrators, who are admins on the page, have been removed,” said vice president of institutional advancement at Thomas More, Kevin Reynolds. https://www.wlwt.com/article/thomas-more-university-hacked-facebook-account/40901253# 73113EDB-40F3-4FB8-BC60-DD8E467780EE Mon, 15 Aug 2022 12:46:32 -0500 Ransomware: “You can collect that money in a couple of hours,” a ransomware hacker’s representative wrote in a secure June 2020 chat with a University of California, San Francisco, negotiator about the $3 million ransom demanded. “You need to take us seriously. If we’ll release on our blog student records/data, I’m 100% sure you will lose more than our price what we ask.” The university later paid $1.14 million to gain access to the decryption key. Colleges and universities worldwide experienced a surge in ransomware attacks in 2021, and those attacks had significant operational and financial costs, according to a new report from Sophos, a global cybersecurity leader. https://www.insidehighered.com/news/2022/07/22/ransomware-attacks-against-higher-ed-increase?utm_source=Inside+Higher+Ed&utm_campaign=3e9ee9e30c-DNU_2021_COPY_02&utm_medium=email&utm_term=0_1fcbc04421-3e9ee9e30c-198624309&mc_cid=3e9ee9e30c&mc_eid=c27b65b094 FDD724BC-FB7B-4DA6-B8E1-CDD159178291 Fri, 22 Jul 2022 09:43:47 -0500 HIPAA Settlement: Oklahoma State University -- Center for Health Sciences (OSU-CHS) has paid $875,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and agreed to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. On January 5, 2018, OSU-CHS filed a breach report stating that an unauthorized third party gained access to a web server that contained electronic protected health information (ePHI). The hacker installed malware that resulted in the disclosure of the ePHI of 279,865 individuals, including their names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. https://www.einnews.com/pr_news/581305359/oklahoma-state-university-center-for-health-services-pays-875-000-to-settle-hacking-breach AA2752B6-788F-4862-B9C9-F017DC15B313 Thu, 14 Jul 2022 10:03:24 -0500 Data Breach: Soap operas are almost always long-running. Privacy breaches should not be, and 16 years is a very long time for a problem to go undetected. But it appears that’s what happened to the Virginia Commonwealth University Health System ("VCU Health"). Last month, VCU Health disclosed that they had recently learned that beginning as early as January 4, 2006, information about transplant donors had accidentally been included in files for their transplant recipients and vice versa. The information was not available to the general public but could be viewed by transplant recipients, donors, and/or their representatives when they logged into the recipient’s and/or donor’s patient portal. https://www.databreaches.net/vcu-health-identifies-and-addresses-a-16-year-privacy-breach/ C6D1B49A-2E79-4AEF-8BE9-C97712089D3F Wed, 6 Jul 2022 09:46:47 -0500 Data Breach: Recently, Simpson University confirmed that the company experienced a data breach involving unauthorized access to employee email accounts. According to Simpson University, the breach resulted in the names, Social Security numbers, financial information (bank account, credit card, and debit card numbers), and protected health information of 6,175 students being compromised. On June 9, 2022, Simpson University filed official notice of the breach and sent out data breach letters to all affected parties. https://www.jdsupra.com/legalnews/simpson-university-confirms-data-breach-7498820/ 4F6848DE-F435-44EA-82E8-4C8B2C26E76B Mon, 20 Jun 2022 14:05:07 -0500 Data Breach Settlement: A University of Pittsburgh Medical Center billing support company agreed to pay $450,000 to resolve claims surrounding a 2020 data breach. The settlement benefits individuals whose information was accessed, stolen or compromised as a result of the 2021 data breach affecting the University of Pittsburgh Medical Center (UPMC). From April to June 2020, Charles J. Hilton PC (CJH) -- legal retainer hired by UPMC for billing-related services -- allegedly suffered from a data breach. This breach occurred when several CJH email accounts were accessed by a third party, the plaintiffs explain. https://topclassactions.com/lawsuit-settlements/open-lawsuit-settlements/university-of-pittsburgh-medical-center-data-breach-450k-class-action-settlement/ 0438993A-4532-4F42-9782-6BBC2FDE6BC8 Fri, 10 Jun 2022 14:12:02 -0500 Data Breach: The Texas Tech University Health Science Center has notified patients of a potential breach of information held by Eye Care Leaders, Inc. On April 19, ECL provided TTUHSC final results of the investigation into the security incident, confirming some of the databases and files contained patient records. No evidence could be found that such records were exfiltrated or used by unauthorized individuals. The ECL’s information contained name, address, phone numbers, driver’s license number, email, date of birth, medical record number, health insurance information, social security number. https://www.newschannel10.com/2022/06/10/texas-tech-university-health-science-center-patients-notified-third-party-data-security/ 4AB84F01-83A0-48C9-88E4-7BA337092021 Fri, 10 Jun 2022 14:09:41 -0500 Data Breach: The University of California, Los Angeles, law school accidentally released to first-year students information about rising third-year students, including their grade point averages and success in landing jobs, Law.com reported. The data included students’ names. UCLA intended to share the information without names. UCLA released this statement: "Our career services staff recently shared information with our rising 2L students to help them prepare for interviews. Unfortunately, this information included a spreadsheet that contained hidden tabs that should have been removed. Those tabs contained some rising 3L students’ 1L GPAs, along with firms from whom they had callbacks or offers." https://www.insidehighered.com/quicktakes/2022/06/10/ucla-law-releases-confidential-student-information?utm_source=Inside+Higher+Ed&utm_campaign=b7df52241d-DNU_2021_COPY_02&utm_medium=email&utm_term=0_1fcbc04421-b7df52241d-198624309&mc_cid=b7df52241d&mc_eid=c27b65b094 06B816A3-F8D1-4BAD-B315-80C3BA46750D Fri, 10 Jun 2022 14:05:19 -0500 Ransomware: Martin University today announced that it, like many other colleges and universities across the nation, experienced a recent ransomware attack. The university learned of the suspicious activity on January 3, 2022. It immediately hired security experts and a computer forensic investigator to analyze the system, ensure its safety, and determine whether the incident impacted anyone's personal information. https://www.prnewswire.com/news-releases/martin-university-announces-data-security-incident-301555691.html ED98CCC5-0A28-44B1-8C93-82BCC4B1AA2F Wed, 1 Jun 2022 13:31:42 -0500 Data Breach: St. Louis-based Washington University School of Medicine notified patients that a data breach had potentially exposed some of their personal health information. According to Washington University School of Medicine's website, the health system learned that an unauthorized person gained access to certain employee email accounts between March 4 and March 28. An investigation conducted March 24 was unable to determine whether the individual viewed any of the emails or attachments in the accounts. https://www.beckershospitalreview.com/cybersecurity/washington-university-school-of-medicine-notifies-patients-of-data-breach-2.html 47119A71-4708-46B6-9566-39B7D181C399 Tue, 24 May 2022 14:24:59 -0500 Ransomware Law: On April 5, 2022, North Carolina became the first state in the U.S. to prohibit state agencies and local government entities from paying a ransom following a ransomware attack. North Carolina’s new law, which was passed as part of the state’s 2021-2022 budget appropriations, prohibits government entities from paying a ransom to an attacker who has encrypted their IT systems and subsequently offers to decrypt that data in exchange for payment. The law prohibits government entities from even communicating with the attacker, instead directing them to report the ransomware attack to the North Carolina Department of Information Technology in accordance with G.S. 143B-1379. https://www.huntonprivacyblog.com/2022/05/02/north-carolina-becomes-first-state-to-prohibit-public-entities-from-paying-ransoms/ FA89D570-8F0A-4A54-9C0B-3C135028EB19 Mon, 2 May 2022 11:10:13 -0500 Ransomware: Kellogg Community College announced on May 1 that the technology issues that started days before were caused by a ransomware attack. Due to the ongoing attack, all KCC campuses are closed until further notice. Kellogg Community College IRT experts are working to resolve this situation as quickly as possible and hope to welcome students and faculty back later in the week. https://www.fox17online.com/news/local-news/kzoo-bc/calhoun/class-cancelled-at-kellogg-community-college-following-ransomware-attack 432BC9CE-AF2E-4D0C-8DD7-B6B5BCDF914A Mon, 2 May 2022 14:39:23 -0500 Ransomware: A new report from internet security provider Sophos shows that institutions of higher education not only were hit by cyber attacks often in 2021, but they also paid out hefty sums in ransom and still didn’t get back all the data they lost when it was stolen. In its State of Ransomware 2022 study done of more than 5,500 organizations and sectors worldwide, colleges and universities that decided to pay hackers after breaches occurred only recovered about 60% of their precious information. Less than 5% got it all back. Across higher education, two-thirds that took part in the survey (100 to 5,000 employees) were hit by at least one ransomware attack in the previous year, up nearly 30% from 2020. The majority of hits were done using data encryption rather than simply holding the data hostage. https://universitybusiness.com/colleges-paying-ransom-only-get-60-of-data-back-heres-how-to-protect-it/?eml=20220502&oly_enc_id=5790I3345367I6Z 737E365C-6907-48AD-9591-E69DD80DBE70 Sun, 1 May 2022 14:23:51 -0500 Ransomware: Austin Peay State University (APSU) confirmed yesterday that it had been a victim of a ransomware attack. The university, located in Clarksville, Tennessee advised students, staff, and faculty to disconnect their computers and devices from the university network immediately as a precaution. Subsequent tweets by APSU confirm that the attack is being contained and all employees are expected to report as usual. The whereabouts of the threat actors that hit APSU, and the details of the ransom demand are yet to be known. https://www.bleepingcomputer.com/news/security/austin-peay-state-university-resumes-after-ransomware-cyber-attack/ B7467424-DEAA-4C99-BB62-2469F6AEF5F4 Thu, 28 Apr 2022 15:19:26 -0500 Ransomware: Schools and universities are facing an unprecedented level of ransomware attacks as incidents continue to severely impact the education sector. The warning comes from Jisc, a not-for-profit organisation that provides network and IT services to higher education and research institutions. Jisc's 'Cyber Impact 2022' report suggests there's an increased threat of ransomware attacks against education. The report suggests that one of the reasons universities have become such a common target for ransomware attacks is because of the pandemic-induced sudden shift to remote working for staff and students that inadvertently left institutions open to attack. https://www.zdnet.com/article/ransomware-attacks-are-hitting-universities-hard-and-they-are-feeling-the-pressure/ 89D9BFF9-3556-43B9-91A1-11893BDFD804 Fri, 22 Apr 2022 14:00:54 -0500 Data Breach: Confidential student information in the Life Sciences department of Queen's University was disseminated via email on Apr. 7. The information included student GPAs, student names, student numbers, academic plans, and years of study as of Sept. 2021. Students' sexes and email addresses were also compromised. In an email obtained by The Journal sent to Life Sciences students following the incident, Katherine Rudder, Life Sciences program advisor, said she "inadvertently" attached an Excel class list file containing the compromised information to an email sent out to all fourth-year Life Sciences students. The subject of the email was a networking opportunity. https://www.queensjournal.ca/story/2022-04-14/university/life-sciences-students-facing-mass-data-breach/ FC5BFE55-509A-4E24-97BF-F2182B86B3CB Thu, 14 Apr 2022 16:24:26 -0500 Fake Phishing Email: Oregon Health & Science University sent its employees an email April 12 offering up to $7,500 in aid if they were struggling with their finances due to the pandemic. The email asked recipients to click a link. When clicked, the link routed them to a page that said no financial assistance was being offered. The email, sent by OHSU administrators, was a fake phishing email that the health care giant used to gauge how gullible its employees were to cybersecurity scams, which have become a serious threat to large employers as ransomware hackers develop more sophisticated techniques for breaking into their information systems. https://www.wweek.com/technology/2022/04/14/fake-phishing-email-sent-by-ohsu-to-employees-to-gauge-employee-gullibility-draws-sharp-criticism-from-labor-union/ 6B6FB7F5-A1F1-46B6-9726-19CB2BA6863E Thu, 14 Apr 2022 09:24:07 -0500 Data Breach: Hackers have targeted Florida International University, officials said. University officials on Saturday notified students and staff that a ransomware group got a hold of sensitive data. Officials said they are investigating. In the message sent by the university, officials wrote, "There is no indication thus far that sensitive information has been compromised." https://wsvn.com/news/local/miami-dade/fiu-hackers-accessed-sensitive-data-no-indication-it-has-been-compromised/ 21284C88-BF40-4DCC-8869-9FEF7A4430E5 Sat, 9 Apr 2022 09:46:04 -0500 Ransomware: North Carolina A&T State University, the largest historically black college in the US, University was recently struck by a ransomware Group called ALPHV, sending university staff into a scramble to restore services last month. The breach occurred the week of March 7 while students and faculty were on spring break. Systems taken down by the intrusion included wireless connections, Blackboard instruction, single sign-on websites, VPN, Jabber, Qualtrics, Banner Document Management, and Chrome River, many of which remained down when the student newspaper published its story two weeks ago. The report came a day after North Carolina A&T appeared on a darknet site that ALPHV uses to name and shame victims in an attempt to persuade them to pay a hefty ransom. https://arstechnica.com/information-technology/2022/04/ransomware-sent-north-carolina-at-university-scrambling-to-restore-services/ 37C76CC7-300C-4755-888C-FB43C809FE7B Thu, 7 Apr 2022 08:57:20 -0500 Data Breach: An email hack involving nearly 500,000 email addresses in a Brown University database took place over the weekend. This marks the latest incident at the Ivy League institution, which came under cyberattack in the spring of 2021. According to members of the Brown community, the CSV file that the perpetrators linked to included nearly 500,000 emails. https://www.golocalprov.com/news/email-hack-at-brown-reportedly-involved-nearly-half-million-addresses 19DBDC19-2A93-43FA-A8C3-75AA0A638110 Mon, 14 Mar 2022 11:20:37 -0500 HIPAA Breach: Michigan Medicine proactively monitors access to patients’ electronic medical records for potential inappropriate accesses. From these proactive efforts, on 1/27/2022 Michigan Medicine found that a newly-hired employee accessed patient medical records without a business need. All inappropriate accesses by this individual occurred between 12/1/2021 and 1/25/2022. The individual is part of and has close ties with the local Korean community and accessed records of patients that he knows from this local network. Patients involved in this HIPAA breach were notified via U.S. mail. https://www.uofmhealth.org/michigan-medicine-notifies-patients-data-information-breach 98E455DB-29D8-49FA-9EA2-0EBEE2B0EEC6 Tue, 22 Feb 2022 09:00:11 -0600 Location Monitoring: George Washington University interim president Mark S. Wrighton apologized Friday to the campus community for the university’s failure to inform it in advance of a data analytics pilot program that monitored locations -- though not individualized data --of students, faculty and staff last fall. The project, Wrighton wrote in his letter to the campus community, was a combined effort of the school’s IT, student affairs, and safety and facilities divisions that used data collected from Cisco WiFi points across GWU’s campuses "to determine density and use of buildings by students, faculty, and staff in the aggregate in order to assess how this could help inform the Safety and Facilities team’s operational priorities." https://www.washingtonpost.com/dc-md-va/2022/02/12/gwu-cell-phone-tracking-students/ 896B5888-0569-45A7-A40C-72BC71DC68CD Sat, 12 Feb 2022 10:36:17 -0600 Ransomware: Ohlone College was hacked in late January and the private information of some current and former students, staff and faculty was compromised, including Social Security and bank account numbers, according to school officials. The community college said in a Feb. 4 notice on its website and letters sent to students it had determined "that certain information on the network was accessed by an outside party" through a hacking incident on Jan. 20. https://globalcirculate.com/east-bay-community-college-data-breached-in-ransomware-attack/ 9478CC65-87BB-4DCE-A898-9097E29D1151 Wed, 9 Feb 2022 11:26:15 -0600 Mistaken Scholarship Message: Oakland University accidentally sent emails to 5,500 of its admitted students Jan. 4 notifying them they were to receive the school's highest scholarship, the Platinum Presidential Scholar Award. The award is worth $12,000 a year for four years of undergraduate school. The mistake was due to "human error," university spokesman Brian Bierley said in a statement. "Unfortunately, the students who received the message do not meet the eligibility requirements for this award, but have qualified for varying levels of OU scholarship awards," Bierley said. "While the emails were sent in error, OU notifies students of scholarship awards through official scholarship award letters sent to students via United States mail." https://www.freep.com/story/news/education/2022/01/29/oakland-university-scholarship-email-mistake/9258424002/ CB28A3FF-B22E-44E1-9D1F-E8D9DD0B8537 Tue, 1 Feb 2022 10:47:15 -0600 Ransomware: Midland University recently announced a data breach stemming from a malware attack. Malware is short for "malicious software." Malware users will install the software over a network onto the victim’s device. From there, the program can wreak havoc, including scouring the device for any personal information. While details about the breach are still forthcoming, as a result of the breach, the names, addresses, driver’s license numbers, state identification numbers, and Social Security numbers of certain individuals were compromised. https://www.jdsupra.com/legalnews/data-breach-alert-midland-university-7261788/ 76A3EFA5-96AC-4FA0-A387-4A22DC63946B Thu, 27 Jan 2022 12:58:38 -0600 Mistaken Scholarship Message: A full ride, including tuition, room and board, plus a $5,000 award to study abroad and admission to the school’s honors program. That’s what 58 high school seniors were told they would receive from Central Michigan University when they were notified over the weekend that they had been awarded the school’s prestigious Centralis Scholar Award. But then on Sunday they got horrible news: They had been sent that message by mistake. In fact, they had actually not been awarded the scholarship to the university of about 20,000 students in Mount Pleasant, Mich. https://www.nytimes.com/2022/01/26/us/central-michigan-university-scholarship-mistake.html D9AC3E50-8A09-41E3-909B-BDA1FDABA5BF Wed, 26 Jan 2022 10:41:45 -0600 Email Hack: A 39-year-old man managed to hack student and staff emails at two Philadelphia-area colleges -- and obtain their personal identifying information -- but he didn’t make a dime in his failed tax return fraud attempt, authorities say. Authorities say the man hacked into the emails of about 25 college students and staff before obtaining identifying information, including W-2 tax forms and student financial information. https://www.newsobserver.com/news/nation-world/national/article257675103.html 59897D6B-AA75-4ACD-8F65-C42467232776 Mon, 24 Jan 2022 11:08:05 -0600 Data Breach: The University of Arkansas for Medical Sciences (UAMS) has discovered a breach of patient information and is notifying the affected patients. On Nov. 29, 2021, UAMS became aware that a former employee sent emails from her UAMS email to her personal Gmail account with patient information attached on November 15, 2021, while still employed with UAMS. The attachments consisted of Excel spreadsheets used for internal billing compliance auditing purposes and/or billing statements addressed to UAMS for reimbursement. The information included the names of 518 patients, their hospital account numbers, dates of service, insurance type, claim information for billing purposes and medical record numbers. https://www.thecabin.net/news/uams-notifies-patients-of-personal-information-breach/article_e13bf619-4e51-54ea-bb64-fa7d9c4cfaf2.html B999B784-0C43-4644-AA32-39ACB46FF2AB Sat, 22 Jan 2022 13:52:52 -0600 Cybersecurity Compliance: As has been widely reported, the Department of Justice (DOJ) launched its new Civil Cyber-Fraud Initiative on October 6, targeting entities that fail to follow cybersecurity-related contract requirements. Despite these widespread reports, an entire category of prime enforcement targets -- universities and research institutions -- remains oblivious to the rising danger they face. https://universitybusiness.com/cybersecurity-compliance-requirements-may-surprise-higher-ed/ FADB655F-E995-42B2-90AF-B1F2E9C309FB Wed, 19 Jan 2022 11:15:24 -0600 Ransomware: Education technology company FinalSite is still in the process of recovering from a devastating ransomware attack that crippled many of the services they provide to thousands of schools across the world this week. In an update on Friday morning, the company said the "vast majority" of its sites are back up and running on the front end, but many systems are still facing a variety of issues. They urged their customers -- which include thousands of schools across 115 different countries -- to limit "software usage to critical information updates for your front-end" until they have confirmed that all functionality is working fully. https://www.zdnet.com/article/ransomware-attack-on-finalsite-disrupting-email-services-at-thousands-of-schools/ A838D622-D37F-4A5C-96AA-FB7BA9A88C8D Fri, 7 Jan 2022 08:50:29 -0600 Data Breach: Dr. Judith Zimmerman knew she was fired for doing the right thing. She was the lead investigator on a research project on autism in children, which she spearheaded at the Utah Department of Health. She brought that project, and a very sensitive database of data, to the University of Utah, where she was in charge of securing grants, overseeing contracts for data procurement and, most importantly, making sure that data was secure. When she found out that it wasn’t, though -- that in 2012, her superiors and other researchers had gone behind her back to share deeply personal, identifying information about Utah K-12 students, and asked her to sign off on doing so after the fact -- she was abruptly fired for raising alarm. https://kjzz.com/news/fired-u-of-u-researcher-exposes-breaches-in-student-data E5801DFB-9AB5-4FB0-9193-F5BE23EB399F Tue, 4 Jan 2022 11:15:06 -0600 Ransomware: HR management platform Kronos has been hit with a ransomware attack, revealing that information from many of its high-profile customers may have been accessed. UKG, Kronos' parent company, said the vital service will be out for "several weeks" and urged customers to "evaluate and implement alternative business continuity protocols related to the affected UKG solutions." Kronos' work management software is used by dozens of major corporations, local governments, and enterprises, including: the City of Cleveland's government, Tesla, Temple University, Winthrop University Hospital, Clemson University, and UK supermarket chain Sainsburys. https://www.zdnet.com/article/hr-platform-kronos-brought-down-by-ransomware-attack-ukg-warns-of-data-breach/ 5FEDFACA-8D9D-4FF3-B804-202C8969D2CB Mon, 13 Dec 2021 13:17:26 -0600 Phishing: Proofpoint researchers have identified an increase in email threats targeting mostly North American universities attempting to steal university login credentials. The threats typically leverage COVID-19 themes including testing information and the new Omicron variant. Proofpoint observed COVID-19 themes impacting education institutions throughout the pandemic, but consistent, targeted credential theft campaigns using such lures targeting universities began in October 2021. Following the announcement of the new Omicron variant in late November, the threat actors began leveraging the new variant in credential theft campaigns. https://www.proofpoint.com/us/blog/threat-insight/university-targeted-credential-phishing-campaigns-use-covid-19-omicron-themes 99696F2F-E037-4F48-904D-42F4D34BB993 Tue, 7 Dec 2021 10:07:37 -0600 Ransomware: Pellissippi State Community College determined that a network system outage appeared to be the result of a ransomware attack Tuesday. The incident has since been contained, and experts are currently working on getting the computer systems operational as soon as possible, an announcement from school officials stated. https://www.wvlt.tv/2021/12/07/pellissippi-state-community-college-responds-ransomware-attack/ D4A3A5C3-E5B9-4ED7-A9EB-3A4B6F732642 Tue, 7 Dec 2021 11:43:31 -0600 IT Compliance: There is a significant rise in regulations associated with IT systems and enterprise data. It is a mandate that IT professionals look after every aspect of these regulations, or else there is a possibility of heavy financial implication due to non-compliance. Let us accept one fact that compliance is a part of life for any organization, particularly those industry verticals, which are highly regulated such as financial services, healthcare, and government. The moment we mention the word compliance, it immediately resonates with legal, compliance, and risk teams. However, there is a considerable involvement of IT departments in ensuring adherence to the organization’s compliance. https://www.techfunnel.com/information-technology/it-compliance-mistakes/ 997AA51B-7CC8-420A-9AD4-39E615FB4826 Tue, 7 Dec 2021 13:37:31 -0600 Data Breach: For victims of crimes and those receiving medical care, the protection of one’s identity, privacy and dignity is critical. As of Dec. 2, anyone with a Tulane University email address could access the Tulane University Police Department’s unredacted Daily Activity Reports. The public DARS openly shared the names of victims, witnesses, reporting persons, those seeking medical attention and suspects who interacted with TUPD. The files were publicly accessible for nearly two years. TUPD was only made aware of their visibility yesterday evening and secured the documents on Dec. 3. https://tulanehullabaloo.com/58405/news/tupd-breach-publicized-crime-victim-identities/ F0909AFD-73C7-4015-B733-B8C6D030E307 Fri, 3 Dec 2021 15:09:46 -0600 Ransomware: Two community colleges were victims of ransomware attacks in the last week, the latest in a string of costly cyberintrusions at American higher education institutions. The latest institutions to be targeted--Butler County Community College in Pennsylvania and Lewis and Clark Community College in Illinois--remain closed as officials grapple with the aftermath of the attacks. Posts on a Lewis and Clark Facebook page make clear the scale of the attack as students vented about being shut out of their email, Blackboard, laptops and all other platforms requiring a college log-in. The incidents are part of a rising wave of ransomware attacks targeting American colleges and universities. https://www.insidehighered.com/news/2021/11/30/butler-county-lewis-and-clark-community-colleges-hacked 33A0DDA9-E9BB-4801-8F44-E3C97722E413 Wed, 1 Dec 2021 09:39:12 -0600 Data Breach: A software company that manages applications for academic scholarships, grants and other forms of financial assistance for college students misconfigured a cloud storage platform, leaving millions of records exposed on the open internet, according to research published Monday by UpGuard, a cybersecurity risk management firm. The company, SmarterSelect, failed to make private a Google Cloud Storage bucket containing 1.5 terabytes of data collected by an array of programs that offer financial support to students -- with documents dating from November 2020 to Sept. 29 -- around the time SmarterSelect acknowledged UpGuard’s discovery. The bucket contained nine top-level directories, all containing information about the scholarship organizations that use SmarterSelect and about 150,000 PDF files of students’ application materials. https://edscoop.com/scholarship-application-vendor-exposed-millions-of-files-researchers-find/ 338CE1D8-EFEF-4009-B320-E5E5CC0810C7 Mon, 22 Nov 2021 13:44:14 -0600 System Crash: A computer system crash has hit Friends University hard, taking out the school’s Wi-Fi, e-mail and organizational software at various points over the past week, according to students and faculty. Numerous campus patrons have reported multiple and recurring problems logging in, accessing and submitting assignments, and communicating with the campus community. Members of the campus community said they’ve been told the problem was a virus attack of some sort. https://www.kansas.com/news/local/education/article255936172.html D6EE2D35-800C-4D0A-A55C-0DA30E74CAD0 Thu, 18 Nov 2021 11:37:33 -0600 Data Breach: An "isolated incident" at Lander University over the summer involving some employees’ paychecks being diverted was a one-time thing, according to the university. This past summer, a small number of employee paychecks or portions of a paycheck were diverted to an unauthorized bank account, according to a statement from Megan Varner Price, assistant vice president of university relations and publications. Price said a hacker gained access to the university’s payroll system, but the breach was caught almost immediately by internal controls. The university worked with law enforcement and IT staff to trace what happened and affected employees were notified. All diverted funds were replaced by pay day, Price said. https://www.indexjournal.com/news/summer-data-breach-at-lander-caught-before-paychecks-diverted/article_67e4cefe-459b-595e-b2bf-204b2554398d.html 2DA1C902-A8E8-4AD8-9E61-1DB4D9BBFF6B Wed, 10 Nov 2021 14:08:00 -0600 Phishing: On November 1, U of T alerted students that scam emails were being sent to their school emails. The notice warned that "many members of [the U of T] community have received an email purporting to be from the ‘COVID-19 Support Team.’ This email encourages recipients to visit the ‘University of Toronto giveaway page’ to be eligible for a one-time cash award." The original scam email offered $2,920 to all eligible faculty members, staff, and students due to the ongoing pandemic, claiming that U of T has decided to support community members so they could "get through these hard times." The email asked ‘qualified’ community members to register with their information to be considered for the giveaway. It explained that any submission that did not have all of the information the email requested would not be processed. https://thevarsity.ca/2021/11/14/u-of-t-scam-emails-covid-19-support-team/ C754DE42-C3D6-49EE-9FA7-9B71947C0583 Sun, 14 Nov 2021 13:34:10 -0600 Data Breach: The University of Colorado Boulder is sending emails to roughly 30,000 former and current students that have been impacted by a data breach, according to a release from the university. Most of the people impacted are no longer CU students or employees, according to the release. The university said the third-party software, provided by Atlassian, had a vulnerability that impacted a program used by the Office of Information Security. The office did an analysis that showed some data was accessed by a hacker. The personal information included names, student ID numbers, addresses, dates of birth, phone numbers and genders. https://kdvr.com/news/local/cu-boulder-data-breach/ 91445589-E6FD-4B9F-A7A7-54A660CF1139 Mon, 25 Oct 2021 11:11:45 -0500 Data Breach: A Chico State employee has been charged with criminal hacking after officials say he leaked vaccine exemption requests and personal information from some students. The employee is accused of publishing a list of Chico State students who applied for a religious exemption from the university's COVID-19 vaccine requirement. Authorities say that the employee worked for Chico State's IT department and hacked into multiple computers to access the information. https://krcrtv.com/news/local/chico-state-employee-charged-with-hacking-leaking-vaccine-exemption-requests 4A466B50-3645-4604-941A-CC4B77C887DE Thu, 21 Oct 2021 09:10:00 -0500 Ransomware Prevention: Is your institution at risk of a ransomware attack? That might depend on your network security, the openness of your platforms, and the proactive steps being taken to ensure data are continually protected. Colleges and universities have been relatively soft targets for online thieves looking to steal the latest research or personal information on students. Howard University, the University of California at San Francisco and University of Utah are among at least two dozen institutions where major breaches have occurred since the start of the COVID-19 pandemic. https://universitybusiness.com/ransomware-risk-6-steps-colleges-can-take-to-help-prevent-cyberattacks/?eml=20211022&oly_enc_id=5790I3345367I6Z AA691EF8-4FC8-4EAB-96C3-9CEF29690BC1 Mon, 18 Oct 2021 10:07:42 -0500 Ransomware: Washington Adventist University (WAU) said it experienced a ransomware attack Saturday and that its Wi-Fi and internet access from the campus would not be available until further notice. The private university in Takoma Park, Maryland, said data may have been exposed but did not provide more details. The school is working with the Montgomery County Cyber Taskforce and the FBI to resolve the attack. https://www.nbcwashington.com/news/local/washington-adventist-university-hit-by-ransomware-attack/2820163/ 96A0B7F7-68E1-4AE1-9191-BF535955085D Sun, 3 Oct 2021 15:10:04 -0500 Data Breach: A massive data breach at University of New Mexico Health may have allowed a third party to obtain certain medical records from 600,000-plus patients -- more than a quarter of the state’s population. UNM Health has been mailing letters to affected patients who had been treated at either UNM Hospital, UNM Medical Group or the UNM Sandoval Regional Medical Center, hospital officials said in a news release. The breach happened May 2 and UNM learned of it June 4, according to the release. Dr. Michael Richards, senior vice chancellor for clinical affairs for the UNM Health System, said in a video posted to the health system’s website that patient names, medical record numbers and Social Security numbers were among the information obtained during the data breach. He said patient electronic medical records were not involved in the hack. https://www.abqjournal.com/2429163/thousands-of-unm-health-records-breached.html 60E774E3-FB12-4C6D-8902-5E0A2999C37C Tue, 14 Sep 2021 11:17:28 -0500 Ransomware: Howard University announced Monday that they are investigating a ransomware attack and canceled classes through Wednesday. According to school officials, their information technology team detected unusual activity on the school's network last Friday. Due to the unusual activity, the school's Enterprise Technology Services (ETS) intentionally shut down the university’s network to investigate. An alternative Wi-Fi system will be deployed on campus, but won't be available until Wednesday. https://wjla.com/news/local/howard-university-investigates-alleged-ransomware-attack 045ACA38-2B97-42D0-A466-051785749705 Tue, 7 Sep 2021 15:45:05 -0500 Data Breach Lawsuit: A Syracuse University student affected by a data breach that exposed the names and Social Security numbers of nearly 10,000 students, alumni, and applicants is suing the university for negligence. The class action lawsuit, which was filed in Onondaga County Supreme Court on Thursday, alleges that inadequate cybersecurity protocols and poor staff training at SU left thousands of people’s personally identifiable information vulnerable. The plaintiff filed the case after an unauthorized charge was made to his checking account following the breach. He is requesting a trial by jury. https://dailyorange.com/2021/09/student-sues-syracuse-university-data-breach-exposed-nearly-10000-names/ 01FAECDF-03D2-41C4-B236-C15301F2BF37 Thu, 2 Sep 2021 15:46:15 -0500 Data Breach: Personal information from California State University, Chico, students who requested a religious exemption from the COVID vaccine has been posted online after an apparent data breach. The requests from about 130 students were dumped on an anonymous Internet message board, documenting approved and denied requests from CSU Chico students between June 7 and Aug. 10. A commenter on the site linked to an Excel spreadsheet with detailed explanations from students who had asked to be exempted from receiving the vaccine in order to attend the college. Student names and phone numbers were included in many of the entries. https://www.fresnobee.com/news/california/article253687118.html 606219BB-AE7D-4ACC-91F0-EE4D7091D5C7 Mon, 23 Aug 2021 09:32:57 -0500 Data Breach: The Indiana Department of Health announced Tuesday it is notifying nearly 750,000 Hoosiers that data from the state’s COVID-19 online contact tracing survey was improperly accessed back in July. The data included name, address, email, gender, ethnicity and race, and date of birth. "We believe the risk to Hoosiers whose information was accessed is low. We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained," said State Health Commissioner Kris Box, M.D., FACOG. "We will provide appropriate protections for anyone impacted." https://www.wane.com/news/indiana/data-breach-from-contact-tracing-survey-low-risk-to-hoosier-privacy-750000-affected/ 2D844E28-B0B5-4A8F-85BD-309716F9A472 Tue, 17 Aug 2021 10:24:40 -0500 Data Breach: Centennial College was informed last month by its provider of emergency medical insurance for international students that an unauthorized third party illegally accessed its computer network, resulting in a breach of client data. The breach was reported by guard.me International Insurance on July 22. https://www.thestar.com/local-toronto-scarborough/news/2021/08/17/centennial-college-says-data-breach-impacted-its-international-students.html A4386AED-E553-42D8-A0A9-FDBB186F2CCF Tue, 17 Aug 2021 11:32:04 -0500 Data Breach: A data breach at a New York university has potentially exposed the personal information of nearly 47,000 individuals. The Research Foundation for the State University of New York (SUNY) announced it detected unauthorized access to its networks earlier this year. The incident was discovered on July 14, and reportedly involved Social Security numbers. A total of more than 46,700 individuals are said to be impacted by the data breach, although it’s not stated whether these people are employees, donors, or others who might be linked to the organizations. https://portswigger.net/daily-swig/data-breach-at-new-york-university-potentially-affects-47-000-citizens B29EE475-3026-4F59-91EC-72C45E35B2E0 Mon, 16 Aug 2021 10:37:36 -0500 Privacy/Research: U.S. lawmakers pressed Facebook Inc on Monday on why it disabled the accounts of researchers studying political ads on the social media platform, saying it was "imperative" that experts be allowed to look into "harmful activity ... proliferating on its platforms." Facebook said on Tuesday it had cut off the personal accounts and access of a group of New York University researchers, citing concerns about other users’ privacy. Facebook has said that the research violated rules to protect the privacy of the social media company’s users. https://www.reuters.com/article/us-tech-facebook-congress/facebook-pressed-by-us-lawmakers-on-disabling-nyu-research-accounts-idUSKBN2FA0N9 939724ED-C36E-4799-8D07-C5446B47A660 Mon, 9 Aug 2021 10:12:22 -0500 Data Breach: A data breach at the University of Kentucky exposed the email addresses of more than 355,000 students and teachers nationwide. The database that was breached did not contain any financial, health or social security information, according to a news release. It was part of the Digital Driver's License database that is used by schools and colleges in Kentucky and other states. Kentucky students have taken civic courses through the program in recent years. https://www.wdrb.com/news/uk-data-breach-exposes-email-addresses-of-355k-students-teachers/article_47fb8210-f623-11eb-a90c-5bafd8d9d6f9.html 744197DA-4530-4DDF-811A-21E8EC8336AB Thu, 5 Aug 2021 10:38:46 -0500 Data Breach: Today, The University of North Carolina at Chapel Hill School of Medicine and The University of North Carolina Hospitals announced that they are mailing letters to some patients whose information may have been involved in a recent incident. On May 20, 2021, SOM and UNC Hospitals learned that an unauthorized person may have gained access to a single SOM faculty member’s email account. This SOM faculty member provides clinical services at UNC Hospitals. SOM and UNC Hospitals secured the impacted email account, began an investigation, and a cyber security firm was engaged to assist in the investigation. https://www.businesswire.com/news/home/20210719005463/en/Patients-to-be-Notified-of-Unauthorized-Access-to-a-Single-UNC-School-of-Medicine-Email-Account DBB9DC39-F62D-4C5B-97B2-09BB14271DDB Mon, 19 Jul 2021 10:37:47 -0500 Ransomware: Virginia Tech was the target of two cyberattacks recently, but the university does not believe that data was stolen or taken. Tech was one of over potentially 1,000 businesses affected by a ransomware attack earlier this month that was centered on U.S. information technology firm Kaseya, which provides software tools to IT outsourcing shops. Virginia Tech spokesman Mark Owczarski said Friday a few university units use Kaseya, a Miami-based company that provides software tools to IT outsourcing shops. He said the malware the hackers pushed out to Kaseya customers could have exposed Virginia Tech student data, but the university found no evidence that happened. https://roanoke.com/news/local/education/ransomware-attacks-target-virginia-tech-no-data-believed-stolen/article_df39bb1a-e66a-11eb-b4a1-e3b1d5dad157.html 4C7AA3D3-98ED-4A94-B87B-1442EA296A01 Fri, 16 Jul 2021 10:20:14 -0500 IT Outage: The University of Massachusetts Lowell canceled all in-person and online classes for the second day following a "cybersecurity incident," the school said. The public research university has been keeping staff and students updated on the breach on the temporary website UMassLowell.com while the school's main website remains unavailable. Officials reported the incident Tuesday and said in an online statement that the university, including its Haverhill campus, was closed "due to an IT outage." https://www.nbcnews.com/news/us-news/university-massachusetts-lowell-cancels-classes-after-possible-cybersecurity-incident-n1270995 30731895-15FA-4707-B9F2-F5451246335A Wed, 16 Jun 2021 11:05:13 -0500 Ransomware: Northern California’s Sierra College is working on restoring some online services during finals week after a ransomware attack, according to the community college’s website. The school, located in Rocklin, about 20 miles outside Sacramento, first reported outages on Wednesday, the Sacramento Bee reported. The school’s website says that some services are in the process of being restored, but includes few other details of the incident, including the type of ransomware used. https://edscoop.com/sierra-college-responding-to-ransomware-attack-during-finals-week/ 8BB49156-640A-4702-9BF7-C893A896743E Fri, 21 May 2021 10:39:12 -0500 Data Breach: A company that provides caps and gowns for graduation ceremonies said Tuesday it is apologizing after an apparent data theft exposed the payment information of some graduating university seniors. The revelation came after several students across the country started noticing strange bank activity and lamented that they had not been warned their accounts might be at risk. The company is Indianapolis-based Herff Jones, which on its website says it provides "class rings and jewelry, caps and gowns, yearbooks, diplomas, frames and announcements..." https://www.khou.com/article/news/nation-world/herff-jones-cap-gown-graduation-payment-information-theft/507-def01040-b9b9-40da-b0a0-50dc6733806f E2E59929-35FD-46D1-A49C-CA9944219061 Tue, 11 May 2021 10:43:25 -0500 Cheating Allegations/Remote Testing: Sirey Zhang, a first-year student at Dartmouth’s Geisel School of Medicine, was on spring break in March when he received an email from administrators accusing him of cheating. Dartmouth had reviewed Mr. Zhang’s online activity on Canvas, its learning management system, during three remote exams, the email said. The data indicated that he had looked up course material related to one question during each test, honor code violations that could lead to expulsion, the email said. https://www.nytimes.com/2021/05/09/technology/dartmouth-geisel-medical-cheating.html?action=click&module=Spotlight&pgtype=Homepage 98BE22BB-3A7B-4EC2-A571-D0B38093941C Sun, 9 May 2021 10:51:43 -0500 Cyberattack: Rensselaer Polytechnic Institute is three days into dealing with a malware attack that has shut down much of its computer network, impacting the university’s students as they go into finals for the spring semester. The attack prompted RPI on Sunday to announce all final examinations, term papers and project reports due on Monday and Tuesday were canceled. In a post on Instagram, the university said grading policies would be modified to reflect the cancelations. Modifications were also being made for any tests that were interrupted by Friday’s attack. https://www.timesunion.com/news/article/Cyber-attack-knocks-out-RPI-computer-systems-16162678.php CC093A71-0794-48ED-9B9C-59419E706FC6 Sun, 9 May 2021 10:09:52 -0500 Data Breach: UF Health Shands is acknowledging a data breach by a former employee who they say "accessed medical records outside the scope of their duties," according to a press release. The information accessed by the former employee includes names, mailing addresses, phone numbers, medical record numbers and dates of birth, as well as clinical information from E.R. visits. The release notes that the 1,562 patients affected by this have already been notified, and that the breach did not involve social security numbers, insurance details or other financial information. The date range for when the records were accessed extend from March 20, 2019 to April 6, 2021. https://www.wcjb.com/2021/05/07/data-breach-by-former-employee-exposes-1500-in-university-of-florida-health-shands-system/ 0911F3F5-6E77-409A-ADAE-0F8A76301B06 Fri, 7 May 2021 10:27:56 -0500 Privacy Breach: Professional email etiquette has been preached over the last year as virtual learning and interactions have grown. Double-check the spelling, make sure it’s being sent from your university account and if the recipient list is encrypted, make sure it stays encrypted. On the morning of April 14, the University Counseling Center sent out a feedback survey to 860 email addresses -- some students, faculty, staff and 68 accounts unaffiliated with the university -- in which the recipient list was unencrypted and visible to all who had access to the email. About 10 minutes later, Interim Director Dr. Daniel Paredes sent out a subsequent email with the subject line "DELETE PREVIOUS E-MAIL WITHOUT OPENING". https://wfuogb.com/12891/news/ucc-sends-errant-email-to-hundreds/ 0E89CE3A-7411-4148-9A1E-C7C488128210 Thu, 22 Apr 2021 08:55:47 -0500 Privacy: In 2018, Rutgers University made a move that hundreds of other universities before it had made: It switched its online learning platform from Sakai--a free, community-sourced system--to Canvas, which is owned by a company called Instructure. The switch was significant: Now the university was paying hundreds of thousands of dollars a year for a product that didn’t have to be transparent about what it did with the information and data it was mining from its users. Such systems are constantly recording users’ interactions with it--how long it takes a student to complete an assignment, for example, or her deleted words and keystrokes, and users’ IP addresses. https://www.thenation.com/article/society/canvas-surveillance/ AFC280C7-5BC2-41CC-AE2E-1AD24C5819B9 Thu, 22 Apr 2021 10:05:32 -0500 Phishing Attack: The University of Southern Indiana says they were hit with one of the most successful hacker phishing attacks they have seen. University officials say they know of at least 20 accounts that were broken into, which resulted in another 44,000 emails being sent out. The email looked like it was from the USI IT Help Desk, and said the student or faculty member had reached their email quota and asked them to click a link. If you clicked the link and entered your password, IT says your password has been stolen. If this happened to you, do this immediately: https://www.tristatehomepage.com/news/local-news/usi-reports-phishing-hacker-attack/ CC1B3317-A840-4265-9BD8-1D78956A1282 Wed, 21 Apr 2021 11:00:24 -0500 This information comes in the context of a U.S. cyberattack where the entire University of California system was included in those victimized in the breach, and emails soon started arriving at university-related accounts threatening to release information. The data breach involves the technology company Accellion, contracted by UC and others to transfer information. Those victimized in the breach have been warned to change their passwords and other credentials. Sanders puts the incident into context, stating: "This latest cyberattack shows how the Accellion breach continues to impact organizations. Higher education continues to be inundated with breaches and cyberattacks, and unfortunately this latest breach from the University of California system is a part of a recurring theme." http://www.digitaljournal.com/tech-and-science/technology/students-warned-of-data-breach-after-cyberattack-hits-uc-system/article/588594 3928F624-5D16-44C2-808C-F4E9B6C3FAE1 Mon, 19 Apr 2021 14:14:03 -0500 Mistaken Letters Mailed: At the height of college decision season, the University of Kentucky emailed 500,000 high school seniors an acceptance letter to a "selective" College of Health Sciences program that usually accepts 35 to 40 students a year. The acceptance email was sent to seniors on March 15 saying, "We are pleased to inform you that you have been accepted into the selective Clinical and Management program in the University of Kentucky College of Health Sciences for the Fall 2021." The University admitted to LEX 18 the emails were sent in "error." University of Kentucky Spokesman Jay Blanton said the emails were sent using the school's Customer Relationship Management (CRM) tool. https://www.lex18.com/news/lex-18-investigates/uk-sends-500-000-acceptance-emails-in-error B05CE4C7-B7DD-43CC-A596-DD66210C10B2 Fri, 9 Apr 2021 13:06:15 -0500 Data Breach: Michigan State sent out an email to just under 350 people yesterday notifying them that Title IX case files from Michigan State were a part of a data breach of Bricker and Eckler Law Firm, which assisted in Michigan State’s Title IX investigations, Michigan State’s Title IX Communications Manager Christian Chapman said. Bricker and Eckler is an Ohio law firm that is the parent company of INCompliance Consulting, which was hired by the University to assist in Title IX investigations and hearings. Bricker and Eckler underwent a ransomware attack between Jan. 14 and Jan. 31, which leaked personal information from its clients, including information from INCompliance Title IX investigations that they were a part of at Michigan State. https://statenews.com/article/2021/04/michigan-state-title-ix-case-files-leaked-in-consulting-data-breach?ct=content_open&cv=cbox_featured 71493B8C-96E5-4B97-A549-340A8450B22F Tue, 6 Apr 2021 09:37:12 -0500 Cyberattack: Brown University, a private US research university, had to disable systems and cut connections to the data center after suffering a cyberattack on Tuesday. The Ivy League school's IT staff said the attack focused on the university's Windows-based devices and asked faculty and staff to switch to computers running other operating systems, smartphones, or tablets. Since the attack hit Brown's network, the university's IT staff has brought back online most www.brown.edu websites, the library.Brown.edu domain, and listserv services. Brown's IT staff is still working on restoring connectivity and bringing additional systems back online to return operating status to normal. https://www.bleepingcomputer.com/news/security/brown-university-hit-by-cyberattack-some-systems-still-offline/ 07C12FBF-AF8E-46BA-8CF8-492DF327BD21 Fri, 2 Apr 2021 15:07:53 -0500 Ransomware/Data Breach: A number of prominent U.S. colleges have become the newest, unlucky recipients of a cybersecurity migraine currently affecting dozens of organizations all over the world. You may have heard something about Accellion--the global cloud provider whose secure-file transfer product (called FTA) was beset by a hacking campaign back in December. As of Thursday, at least six different universities have allegedly had their data leaked to the dark web--the likes of which includes quite sensitive information. The victims are: Stanford University, the University of Maryland Baltimore, the University of Miami, the University of California Merced, the University of Colorado Boulder, and the Yeshiva University, a prominent private research university based in New York City. https://gizmodo.com/universities-across-the-country-are-being-swept-up-in-a-1846602529 F07C2622-20C1-4BDA-A08D-89E71EECDA72 Thu, 1 Apr 2021 11:01:59 -0500 Data Breach: On February 3rd 2021, 200,000 students and employees at Simon Fraser University (SFU) had their academic data as well as their personal identifiable information, including their name and date of birth, compromised. Following this serious data breach, a lawsuit has been issued against the university citing the failure to have preventative measures in place to protect student and employee data. As a consequence, the university could not adequately prevent or detect any unauthorised access of private and confidential data. https://www.industryanalysts.com/040121_ringdale/ 5468DAC6-5287-4A73-AB4B-0566189DD6BA Thu, 1 Apr 2021 10:40:14 -0500 Phishing Scam: The Internal Revenue Service today warned of an ongoing IRS-impersonation scam that appears to primarily target educational institutions, including students and staff who have ".edu" email addresses. The IRS' phishing@irs.gov has received complaints about the impersonation scam in recent weeks from people with email addresses ending in ".edu." The phishing emails appear to target university and college students from both public and private, profit and non-profit institutions. The suspect emails display the IRS logo and use various subject lines such as "Tax Refund Payment" or "Recalculation of your tax refund payment." It asks people to click a link and submit a form to claim their refund. https://www.irs.gov/newsroom/irs-warns-university-students-and-staff-of-impersonation-email-scam E80221E4-43B0-4EC6-AA7E-CF0BDB8B35F8 Thu, 1 Apr 2021 10:35:48 -0500 Data Breach: Mott Community College announced Wednesday that it has identified and addressed a data security breach. Through an investigation, Mott Community College determined that an unauthorized person obtained access to its systems between November 27 and January 9, and transferred files maintained on one of its systems outside of its network. The college discovered Jan. 23 that the files that were acquired by the unauthorized person may have included information relating to its self-insured dental plan, according to Wednesday, March 24 news release. https://www.mlive.com/news/flint/2021/03/mott-community-college-addresses-data-security-breach.html B2445796-256F-4798-9C7E-93AD5E93637C Wed, 24 Mar 2021 10:40:26 -0500 Ransomware/Data Breach: A ransomware group has leaked data allegedly stolen from the University of Colorado on the dark web. In February, CU announced it was investigating a cyberattack believed to be the largest in the university’s history. The attack targeted a vulnerability in the File Transfer Appliance from Accellion, a third-party vendor. Accellion says the hack impacted fewer than 100 clients, with 25 suffering significant data theft. Officials said personal information of CU Boulder and CU Denver students, along with prospective students, and employees may have been accessed. https://denver.cbslocal.com/2021/03/23/cu-university-of-colorado-cyberattack-accellion-data-breach-dark-web-clop-ransomware/ 6888E7C3-49F9-491F-8736-DACAEFBB737E Tue, 23 Mar 2021 11:15:23 -0500 Cyberattack: Maricopa Community Colleges reported on Friday evening that it will extend the spring semester by a week and resume class instruction for all modalities on March 29, after its internet technology systems had been down since Tuesday, affecting coursework for thousands of students. As of Friday afternoon, the school system has continued to cite "emergency maintenance" in communications to students about its internet technology system issues. In an email sent to The Republic on Friday, Dasi Danzig, a district spokesperson, said the shutdown was a result of "unauthorized, suspicious" activity in their network, which appears to be "the early stages of a cyberattack." https://www.azcentral.com/story/news/local/arizona-education/2021/03/19/maricopa-community-college-students-without-tech-systems/4759189001/ D78DFCB8-E400-4E8F-9E36-BAC6E933324E Fri, 19 Mar 2021 11:17:27 -0500 Privacy Lawsuit: Online exam proctoring companies like ProctorU "have seen a significant uptick in light of the COVID-19 pandemic, which has caused institutions to move exams online. This has led to significant privacy implications for students"; specifically, three students filed a class-action complaint on Friday in the Central District of Illinois against ProctorU for alleged biometric violations, particularly after a data breach. According to the complaint, ProctorU "develops, owns, and operates an eponymous online proctoring software service that collects biometric information," in violation of the Illinois Biometric Information Privacy Act (BIPA). https://lawstreetmedia.com/tech/students-sue-online-exam-proctoring-service-proctoru-for-biometrics-violations-following-data-breach/ B2DDA0BC-B529-41A1-B0A7-F962D3A5148C Mon, 15 Mar 2021 09:39:59 -0500 Cyberattack: A Birmingham college has closed all its campuses to students for a week following a "major" ransomware cyber attack that disabled its core IT systems. The eight sites of South and City College Birmingham will be shut and revert to online teaching from today while computer forensic specialists work to fix the problem. The college has since confirmed to FE Week the attack on Saturday involved data "on a number of servers and workstations connected to our domain" being encrypted by ransomware, while "a volume of data has been extracted from our servers". https://feweek.co.uk/2021/03/15/college-group-closes-all-campuses-for-a-week-following-major-cyber-attack/ 8AE962CA-8279-454E-A3FC-DDEA81B7308B Mon, 15 Mar 2021 14:08:19 -0500 Cyberattack: Officials at the University of Texas at El Paso say an unauthorized and potentially malicious intrusion was identified in its digital network on Friday. The university turned off all campus systems leading to campus-wide issues into the weekend. UTEP released a statement on Sunday night saying staff is working to bring back online services like Blackboard so they can be available on Monday morning. https://www.ktsm.com/local/utep-detected-unauthorized-and-potentially-malicious-intrusion-on-network/ 6B7DB6FB-715F-4102-A868-7E62017BBC33 Sun, 7 Mar 2021 09:58:06 -0600 Privacy Lawsuit: DePaul University has become the latest Illinois university targeted under the state’s biometrics privacy law over online monitoring of students taking exams. On March 3, attorney Brian K. Murphy, of the firm of Murray Murphy Moul & Basil, of Columbus, Ohio, filed suit in Cook County Circuit Court against DePaul. The lawsuit claims the university violated the Illinois Biometric Information Privacy Act (BIPA), in the way it required students to take exams online. https://cookcountyrecord.com/stories/575775581-depaul-university-targeted-by-class-action-over-facial-recognition-tech-used-in-online-exam-proctoring 86D18D78-B736-4105-982F-29466FBB04F5 Fri, 5 Mar 2021 09:50:06 -0600 Cyberattack: Millersville University confirmed that on Sunday, February 28 they received an external attack on their network. The external attack on the university's network caused in-person and virtual classes to be canceled on Monday and Tuesday. https://local21news.com/news/local/millersville-university-confirms-external-attack-on-network 943CF313-7B6C-4CB6-ABE6-33B3EC4199C4 Tue, 2 Mar 2021 11:17:21 -0600 Cyberattack: One of the world’s top biology labs--one whose renowned professors have been researching how to counter the Covid-19 pandemic--has been hacked. Oxford University confirmed on Thursday it had detected and isolated an incident at the Division of Structural Biology (known as "Strubi") after Forbes disclosed that hackers were showing off access to a number of systems. These included machines used to prepare biochemical samples, though the university said it couldn’t comment further on the scale of the breach. It has contacted the National Cyber Security Center (NCSC), a branch of the British intelligence agency GCHQ, which will now investigate the attack. https://www.forbes.com/sites/thomasbrewster/2021/02/25/exclusive-hackers-break-into-biochemical-systems-at-oxford-uni-lab-studying-covid-19/?sh=20e446862a39 53B096A1-3607-4A5C-9DA1-15FB0974377B Mon, 1 Mar 2021 09:41:35 -0600 Cyberattack: Computers on Lakehead University's campus remain unavailable for use as the institution continues to deal with a cyber attack. Lakehead announced the cyber attack Tuesday afternoon, saying at the time all computers on both the Thunder Bay and Orillia campuses were being shut down. In an update provided on Thursday morning, Lakehead said the attack was directed at its file share servers, and Technology Services Centre staff removed all access to those services as soon as they became aware of the attack. Staff are working to determine exactly which servers, and data, were affected by the attack. In the meantime, all information stored on the file servers will be inaccessible, and all campus computers unavailable for use. https://www.cbc.ca/news/canada/thunder-bay/lakehead-university-cyber-attack-1.5918516 4652AAAA-A1F2-438D-BBBB-DD87EB4B7F1F Thu, 18 Feb 2021 13:36:58 -0600 Data Breach: Multiple UAH email accounts were compromised through a phishing attempt in January, that’s confirmed by the UAH Office of Information Technology. Some emails impacted did contain personal information such as name, date of birth, or social security number. However, school officials say there was no server or directory impacted and no credit card or banking information was included. On February 17, https://www.waff.com/2021/02/19/uah-email-accounts-compromised-through-phishing-attempts/ FE11E334-CED4-4D98-8EA6-E274F3777B21 Thu, 18 Feb 2021 10:46:36 -0600 Ransomware Attack: The ransomware attack and subsequent technology disruption at Central Piedmont Community College continued into a second week of canceled online classes and offline email and phone systems. According to CPCC, the FBI and other state agencies are investigating the attack which was first detected last Wednesday. Based on an "exhaustive" investigation, there is no indication that any employee or student information was leaked, the school said. Online classes are canceled through Wednesday, Feb. 17, but some classes will continue to meet in person, according to CPCC. https://www.charlotteobserver.com/news/local/article249285260.html 68D7E1A7-D555-4E64-ABB5-221F4413A93C Thu, 18 Feb 2021 09:17:21 -0600 Privacy: he message, tucked in a routine fall-planning email to Oakland University students, took Tyler Dixon by surprise. Along with wearing masks and social distancing, students living on campus would be expected to wear a coin-size "BioButton" attached to their chests with medical adhesive. It would continuously measure their temperature, respiratory rate, and heart rate, and tell them whether they’d been in close contact with a button wearer who’d tested positive for Covid-19. In conjunction with a series of daily screening questions, the button would let them know if they were cleared for class. https://www.chronicle.com/article/the-surveilled-student?utm_source=Iterable&utm_medium=email&utm_campaign=campaign_2017478_nl_Academe-Today_date_20210219&cid=at&source=ams&sourceId=3807591&cid2=gen_login_refresh 0E641528-9823-4D18-AA95-F1F7EAF9FBE2 Mon, 15 Feb 2021 10:53:58 -0600 Ransomware Attack: A ransomware incident at Midland University caused a temporary disruption to the school’s web systems this month. University officials say the disruption was "minimal" and that all systems are now up and running at full strength. As for what the ransomware perpetrators were after, that remains unclear according to Nelson. "We do not know what they got," Nelson said. "They did not provide that information. We know it was international." As for any potential leak of personal information, Nelson said that there has been no indication of that yet. https://www.newschannelnebraska.com/story/43328563/midland-university-back-online-after-hack E26F2979-0F01-4C3E-8D55-68834A3380E3 Wed, 10 Feb 2021 10:20:25 -0600 Data Breach: The names and social security numbers of several Syracuse University students have been exposed after someone gained unauthorized access to an employee’s email account.Last week, the university sent letters to affected students, alerting them that the university had investigated a data security breach involving some of their personal information. The unauthorized party accessed the employee’s email account between Sept. 24. and 28. http://dailyorange.com/2021/02/names-social-security-numbers-of-syracuse-university-students-exposed-in-data-breach/ ED9AFA52-1509-4496-84EF-CCA134CF8A00 Wed, 10 Feb 2021 11:32:15 -0600 Zoombombing: As the COVID-19 virus spread worldwide in early 2020, much of our lives went virtual, including meetings, classes and social gatherings. The videoconferencing app Zoom became an online home for many of these activities, but the migration also led to incidents of zoombombing -- disruptors joining online meetings to share racist or obscene content and cause chaos. Similar apps such as Google Meet and Skype also saw problems. Cybersecurity experts expressed concerns about the apps’ ability to thwart hackers. A study, however, shows that most zoombombing incidents are "inside jobs." https://www.helpnetsecurity.com/2021/02/09/most-zoombombing-incidents-are-inside-jobs/ 35F0E33A-2042-464F-B23F-B5C48E66223E Tue, 9 Feb 2021 14:17:21 -0600 Online Proctoring: The University of Illinois Urbana-Champaign announced that it will discontinue its use of remote-proctoring software Proctorio after its summer 2021 term. The decision follows almost a year of outcry over the service, both on UIUC’s campus and around the US, citing concerns with privacy, discrimination, and accessibility. Proctorio is one of the most prominent software platforms that colleges and universities use to watch for cheating on remote tests.Though Proctorio and similar services have been around for years, their use exploded in early 2020 when COVID-19 drove schools around the US to move a bulk of their instruction online. So, too, has scrutiny towards their practices. Students and instructors at universities around the country have spoken out against the widespread use of the software, claiming that it causes unnecessary anxiety, violates privacy, and has the potential to discriminate against marginalized students.. https://www.theverge.com/2021/1/28/22254631/university-of-illinois-urbana-champaign-proctorio-online-test-proctoring-privacy 1CD4C349-D9DA-48D7-838D-61B955CC2553 Mon, 1 Feb 2021 14:19:03 -0600 Remote Proctoring: A group of Democratic senators, led by Sen. Richard Blumenthal, called on three online proctoring companies to respond to equity and privacy concerns raised by students last month. The senators’ inquiry stemmed from reports that, in some cases, facial recognition software failed to identify students of color and students who wear religious garb, like a hijab. Students with disabilities also said online proctoring technology flagged their involuntary movements, like muscle spasms, as possible signs of cheating. The exchange between senators and companies shines a spotlight on an industry that’s boomed since the COVID-19 pandemic shifted courses online, raising questions about the benefits and ethical challenges of using technology to monitor test-takers remotely. https://diverseeducation.com/article/203362/ 6E2E0377-5545-4DC3-8DB3-F09DDCF848E2 Wed, 27 Jan 2021 14:03:59 -0600 Ransomware Attack: Tennessee Wesleyan University was the target of a cyber attack that held certain files for ransom last week. The university is currently investigating the attack that was made on the campus network early Friday morning along with local officials, the Tennessee Bureau of Investigation (TBI), and TWU’s insurance company’s cyberattack team. According to a press release by TWU, all of the university’s networks had been shut down since just before 10 a.m. as campus officials became aware of the attack. https://www.dailypostathenian.com/news/article_8eabb310-4295-5949-9634-f5f85819352e.html 3E9A2970-2B70-40FF-B350-4324091F199C Mon, 25 Jan 2021 09:20:02 -0600 Data Breach: On November 20, 2020, LSU Health New Orleans Health Care Services Division (LSU HCSD) notified the public of a data breach through an employee’s email account. LSU HCSD has since become aware that the employee’s electronic mailbox also included information from its partner hospital, University Medical Center- New Orleans (UMC-NO.) UMC-NO was notified by LSU HCSD of the possibility that some of its patients’ protected information may have been accessible to the cyber intruder. UMC-NO is in the process of conducting its own investigation and discovery. https://www.klfy.com/louisiana/university-medical-center-new-orleans-patient-info-may-have-been-leaked-in-lsu-hcsd-data-breach/ 034DB718-F0AD-4ED1-BC7A-2B9B89E2548F Mon, 11 Jan 2021 10:52:11 -0600 Software Breach: Kent State University is among 24 organizations identified by the Wall Street Journal as having software on its computers that gave hackers potential access to data. According to a Wall Street Journal analysis, the hackers may have had access to Kent State’s systems for more than a year. The Wall Street Journal reports that Kent State computers were infected with a tainted network monitoring software called SolarWinds Orion that allowed hackers to access the network through a so-called "backdoor" in the code. https://www.cleveland.com/news/2020/12/kent-state-university-systems-potentially-hacked-in-widespread-software-breach.html 7DB54EB9-CB3B-4851-8822-BEA87F69706B Fri, 1 Jan 2021 09:34:59 -0600 Data Breach: Texas Tech University Health Sciences Center on Thursday announced that it has sent letters to patients who have have been impacted by a third-party vendor's data breach the university learned about this fall. TTUHSC was notified Oct. 15 of a ransomware attack on Blackbaud Inc’s system that occurred some time in May 2020, according to a news release from TTUHSC. Blackbaud reported that it investigated the matter and determined there had been unauthorized access to its systems, which contained TTUHSC patient information. https://www.lubbockonline.com/story/news/2020/12/10/texas-tech-hsc-informs-patients-potential-data-breach/3884560001/ 418CC402-7F2D-4E00-B7AB-535A2C1AF0B0 Thu, 10 Dec 2020 11:11:45 -0600 Data Breach: A security breach at the University of Memphis has caused private information of certain faculty and staff members to be compromised. In an email obtained by MBJ -- dated Dec. 4 and sent to faculty and staff members -- U of M CIO Robert Jackson said an individual had hacked into a university email account. While the institution doesn’t believe any information was stolen or misused, personal details were accessible in an unencrypted format. https://www.databreaches.net/tn-personal-information-of-some-university-of-memphis-employees-exposed-in-security-breach/ 2D71AF7B-D4B2-491F-A756-00DE8B346172 Wed, 9 Dec 2020 10:20:12 -0600 Data Breach: Illinois Valley Community College has sent out more than 160,000 letters to current and former students, faculty and applicants warning them that their data may have been compromised in connection with a data breach back in April. Cheryl Roelfsema, IVCC’s vice president for business services and finance, said that, as of now, the school is unaware of any incidents related to the data obtained from the breach. https://www.newstrib.com/2020/11/24/illinois-valley-community-college-sends-letter-warning-of-data-breach/a65oecs/ F27708E8-1E26-4E90-A2C8-4DD06914F697 Tue, 24 Nov 2020 10:50:10 -0600 Breach: Hackers carefully considered the timing of the Oct. 5 cyberattack on Heartland Community College. ''We could see that there was heavy activity starting at about 1 a.m., so it was intended and targeted to be disruptive,'' said Heartland Chief Information Officer Scott Bross. The college started seeing systems problems at the beginning of the business day, 7-8 a.m. He said there were multiple tools used to crash systems and equipment, and even some encryption of data, a common tactic for those who try to pry ransom money out of institutions in return for access to their own data. Forensic examinations have yet to show any student or staff data was taken away. https://www.wglt.org/post/heartland-hackers-attacked-hours-college-systems-crashed 909408DB-15B0-49C9-AB7A-88F663FFB8E8 Tue, 20 Oct 2020 00:00:00 -0500 Breach: Software that helps monitor university students taking exams has been shut down after the developer detected a security breach. New York-based Verificient Technologies is the developer of Proctortrack, a program that watches students while they take online exams to ensure they are not cheating. Last week, Verificient revealed in a release that it had detected a security breach at one of its servers, and that a malicious actor managed to log into one of the company's servers in Europe and sent fraudulent emails. The malicious actor even ''played around with some files,'' https://www.insurancebusinessmag.com/ca/news/cyber/anticheating-software-for-university-exams-suffers-security-breach-236577.aspx DD541A96-8A6F-4F15-9AC8-68D415876E0C Mon, 19 Oct 2020 08:12:00 -0500 HIPAA Breach: Michigan Medicine is notifying 1062 patients about an email that may have exposed their email addresses and health information to others. Emails containing information about an Inflammatory Bowel Disease event were sent to patients in late September without the blind copy function being used to hide email addresses, so patients’ email addresses were visible to all recipients. https://www.uofmhealth.org/news/archive/202010/michigan-medicine-notifies-patients-email-information-breach 42EBDEE2-9E5B-40B4-9568-E072E9D40B72 Sat, 17 Oct 2020 00:00:00 -0500 Identity Theft Risk: With all the turmoil that COVID-19 has created on college campuses, protecting themselves from identity theft probably isn't top of mind for students. However, even in normal times it's not a concern to many of them. A study by the Identity Theft Resource Center found that 64 percent of college students weren't very worried about becoming the victim of fraud. And they’re the least likely demographic group to detect fraud on their own. https://www.jacksonsun.com/story/news/2020/10/15/college-students-high-risk-identity-theft/3671419001/ 8C4C01FC-09AD-4D83-B6B9-D859E54440B3 Thu, 15 Oct 2020 00:00:00 -0500 Ransomware OFAC Warnings: Companies victimized by ransomware and firms that facilitate negotiations with ransomware extortionists could face steep fines from the U.S. federal government if the crooks who profit from the attack are already under economic sanctions, the Treasury Department warned today. In its advisory (PDF), the Treasury’s Office of Foreign Assets Control (OFAC) said ''companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.'' https://krebsonsecurity.com/2020/10/ransomware-victims-that-pay-up-could-incur-steep-fines-from-uncle-sam/ EAC30767-C0CB-4514-9956-95BF11811174 Thu, 1 Oct 2020 00:00:00 -0500 Phishing incident: Patients of University of Missouri Health Care may have had their information exposed after an email phishing incident. In a statement on their website, MU Health Care said, "That information may have included names, dates of birth, medical record or patient account numbers, health insurance information, and/or limited treatment or clinical information, such as diagnostic, prescription, and/or procedure information. For some patients, a Social Security number was also identified." https://abc17news.com/news/2020/09/20/mu-health-care-reports-data-breach-2/ 5AB00CA2-4B32-42A9-98CC-8F9D40F8148C Sun, 20 Sep 2020 00:00:00 -0500 Breach Notification Law: Privacy and security continue to be at the forefront for legislatures across the nation, despite (or perhaps because of) the COVID-19 pandemic. In late May, with back-to-back amendments, Washington D.C. and Vermont significantly overhauled their data breach notification laws, including expansion of the definition of personal information, and heightened notice requirements. Now, Michigan may follow suit. https://www.natlawreview.com/article/michigan-considers-enhanced-data-breach-notification-law C33F0DD0-6500-44ED-BA5A-1E69E29AD908 Mon, 14 Sep 2020 00:00:00 -0500 ZoomBombing: A Houston resident was accused of interrupting a virtual University of Houston lecture with a bomb threat and by proclaiming his association to ISIS, the US Attorney's Office of the Southern District of Texas said Tuesday. The man was arrested on September 4 for making threats or conveying false information to destroy by means of fire or explosives and making a threat over interstate commerce charges. Allegedly the suspect interrupted a lecture on Zoom, a video conferencing app, on September 2 saying, "what does any of this have to do with the fact that UH is about to get bombed in a few days?" prosecutors said. https://www.cnn.com/2020/09/08/us/university-zoombombing-isis-arrest/index.html CDEBB2DB-93AF-44A9-A944-EDAC6853014E Wed, 9 Sep 2020 07:34:41 -0500 Computer Breach: Personal information of some Oregon State University students and faculty members may have been compromised during a computer security breach this summer. A hacker accessed a computer server for the university’s Ecampus online education program, gaining access to records containing the names and OSU email addresses of about 1,700 students and faculty, the university announced on Thursday. https://www.oregonlive.com/news/2020/09/computer-breach-at-osu-exposes-personal-info-of-1700-students-and-faculty.html BDEA57DE-4D94-4841-A69D-16FC0A02448A Fri, 4 Sep 2020 09:55:23 -0500 Zoom bombing: At last Thursday’s Meet the B-Frats event, one of the major recruiting events for Miami University’s business fraternities, a hacker seized hosting controls of the Zoom call and took over Pi Sigma Epsilon’s (PSE) presentation with an image of a swastika, verbal threats and homophobic and racist pre-recorded audio. https://www.miamistudent.net/article/2020/09/business-fraternity-presentation-hacked-with-threats-antisemitism-racism-and-homophobia 6AE45958-8D6C-45E1-8DE8-FD12A17D0648 Wed, 2 Sep 2020 09:17:56 -0500 Ransomware: When threat actors gave Greenville Technical College in South Carolina until September 4 to respond to their ransomware demands, the college didn’t worry. They had decided not to pay because they were able to recover from the attack without paying for a decryption key. But there was a second part to the ransomware attack -- the threat actors had claimed to have successfully exfiltrated personal information of staff and students. And today, the threat actors are claiming that the college has lied to its staff, its students, and the public in claiming that it successfully dealt with the attack. https://www.databreaches.net/greenville-technical-college-claims-no-personal-data-affected-by-ransomware-incident-threat-actors-claim-otherwise/ 5709211A-DD8D-4E7F-B03A-D1294806D2CF Mon, 31 Aug 2020 08:09:06 -0500 Ransomware payment: The University of Utah paid nearly half a million dollars to stop a data leak after a ransomware attack, according to a posting on the university's website. The ransom payment prevented hackers from releasing stolen student and employee information from servers in the university's College of Social and Behavioral Science. https://www.sltrib.com/news/2020/08/21/university-utah-pays-more/ 843CE674-6B01-4787-9AF8-34CD4546F0E2 Fri, 21 Aug 2020 00:00:00 -0500 Health Care Data Breach: The director of the health clinic at the University of Lethbridge says she has taken steps to ensure patient information remains secure after a data breach earlier this summer. The breach was caused by a spreadsheet that was mistakenly sent to a student with the same name as a staff member. https://www.cbc.ca/news/canada/calgary/data-breach-university-of-lethbridge-email-violation-patients-1.5684455 CD56D0E4-236B-45D3-901E-70C211B950C6 Mon, 17 Aug 2020 07:40:29 -0500 Identity Theft Prevention: For college freshmen leaving home for the first time, summer can be a frenzied time of shopping for dorm room essentials, packing up clothes and saying goodbye to high school friends. In the midst of this hustle and bustle, parents need to make time to talk to their students about money and protecting themselves against identity theft while they’re on or off campus during the pandemic. https://www.newstribune.com/news/business/story/2020/aug/16/bbb-tips-college-freshmen-at-risk-of-identity-theft/837865/ DC68D121-02F8-4CD2-9FE1-5DBFD3069438 Sun, 16 Aug 2020 00:00:00 -0500 ProctorU Hack: ProctorU, a proctoring platform for online exams, has disclosed that it was the victim of a major data breach. ProctorU allows teachers to ensure that students don’t cheat when they take part in online exams. The ProctorU database apparently contains the details of 444,000 people, including names, home addresses, emails, cell phone numbers, hashed passwords and organization details, according to Bleeping Computer, which had a look at the stolen information. Presumably, the majority of records pertained to current or recent college students. https://www.tomsguide.com/uk/news/proctoru-data-breach 63BC0DE0-2E5E-4D39-9D67-B94BA7E5A1D0 Mon, 10 Aug 2020 00:00:00 -0500 Privacy: Alabama's colleges and universities now have another way to help track COVID-19 cases on campus. It's an app called GuideSafe. The University of Alabama at Birmingham, in partnership with Google and Apple, created it to alert students who may have had close contact with someone who tested positive. "We will be asking students to do it, but not necessarily requiring them to do it," said Abel. App users will self-report if they test positive for COVID-19. The app will use Bluetooth technology to determine if you've been in contact with someone who's tested positive within 14 days. UAB acknowledges the privacy concerns some may have. https://mynbc15.com/news/local/alabama-college-students-encouraged-to-download-covid-19-contact-tracing-app 176C88DF-39C4-406A-B214-8957C7FB7633 Mon, 10 Aug 2020 10:30:45 -0500 Data Breach: An unauthorized party gained access to Michigan State University’s online store, shop.msu.edu, and placed malicious code to expose shoppers’ credit card numbers between Oct. 19, 2019 and June 26, 2020. The intrusion was a result of a vulnerability in the website which has since been addressed. Once the university was notified, an initial investigation determined the exposed information included names, addresses and credit card numbers of about 2,600 customers. https://msutoday.msu.edu/news/2020/msu-confirms-unauthorized-access-to-online-shopping-site/ F0EF6ECA-0B10-4D83-BDF3-6B014CB0B911 Mon, 10 Aug 2020 11:10:22 -0500 Privacy: Oakland University will require residents to wear a "BioButton" in residence halls when students return to campus this fall amid the coronavirus pandemic. The "BioButton" is wearable technology that monitors your vitals, including temperature and heart-rate, in real time. It can last for up to 90 days. It’s meant to be worn on the chest and connects to your mobile device. "The individual data will remain private to the wearer and is not shared with others," the university states on its website. A group of Oakland University students have launched a petition against the policy, citing an intrusion of privacy and data. https://www.clickondetroit.com/news/2020/08/03/oakland-university-to-require-residents-to-wear-biobutton-to-track-health-students-launch-petition/ 36AA9E52-5A9B-4E00-9404-BCC302F6E6D2 Mon, 3 Aug 2020 14:21:14 -0500 Data Privacy: For millions of students, the College Board is the gatekeeper to higher education. And according to a Consumer Reports investigation, the organization uses that role to collect and share information on those students--despite apparent promises to the contrary. The nonprofit company owns and operates the SAT test. It also administers the Advanced Placement exams high school students take to earn college credit and strengthen their applications. And when you create an account on collegeboard.org to register for the SAT, sign up for an AP test, or research colleges and scholarships, the College Board sends details about your activity to at least seven tech companies that profit from advertising. https://www.consumerreports.org/colleges-universities/college-board-is-sharing-student-data-once-again/ 006302E0-5C6B-4581-AC4E-E181DC7C2E59 Thu, 30 Jul 2020 11:21:30 -0500 Data Breach: On July 20, University of Utah Health in Salt Lake City reported a data breach to HHS. The third reported email hack of the system this year affected the information of 10,000 patients. The health system did not respond to a request for comment. The health system reported a phishing attack from April 6 to May 22 in which a hacker accessed an employee email account and patient names, birthdates, medical record numbers and limited clinical information were exposed. That incident affected 2,700 people. https://www.beckershospitalreview.com/cybersecurity/university-of-utah-health-reports-3rd-data-breach-in-2020-affecting-10-000-patients.html B740507A-7153-49C8-9E6F-54A0189D0AC2 Fri, 24 Jul 2020 12:31:39 -0500 Ransomware Attack: At least 10 universities in the UK, US and Canada have had data stolen about students and/or alumni after hackers attacked a cloud computing provider. The hack targeted Blackbaud, one of the world's largest providers of education administration, fundraising, and financial management software. The US-based company's systems were hacked in May. In some cases, the stolen data included phone numbers, donation history and events attended. Credit card and other payment details do not appear to have been exposed. https://www.bbc.com/news/technology-53516413?intlink_from_url=https://www.bbc.co.uk/news/education&link_location=live-reporting-story 1252C80F-A269-4000-8C9A-E078C86914B9 Thu, 23 Jul 2020 15:37:23 -0500 Cyber Attack: Federal officials are assessing the damage from a cyberattack targeting the Royal Military College of Canada, the institution that trains military leaders and conducts sensitive research into warfare. Officials are not revealing the extent and nature of the breach at the Kingston-based college, which is run by the Department of National Defence (DND) and trains officers for all branches of the military. https://www.theglobeandmail.com/canada/article-royal-military-college-weighs-damage-after-cybersecurity-attack/ 47A85991-7563-4C0A-8B17-1BE995448379 Mon, 6 Jul 2020 11:19:28 -0500 3rd Party Data Breach: University of Michigan students got a scare Friday night: warnings circulating on social media about an apparent data breach leaking their U-M email addresses and passwords. On Saturday, the University of Michigan released a statement saying the information was from older "third-party data breaches, such as Chegg, Zynga, LinkedIn" where users used their student emails to sign up to register. The release emphasized there was no data leak from the university’s end, and stressed students should not use the same passwords outside of U-M services. https://www.freep.com/story/news/education/2020/07/04/umich-say-data-breach-third-party/5376898002/ 50A469D0-E034-465D-B292-E827F2CF16F7 Sat, 4 Jul 2020 11:10:59 -0500 Ransomware Attack: Hackers who attacked computer servers at the University of California at San Francisco School of Medicine were paid a ransom of more than $1 million so researchers could regain access to data that had been maliciously encrypted by malware, according to university officials. The school’s Information Technology staff detected a security incident on June 1 and the affected areas, described as "a limited number of servers in the School of Medicine," were isolated from the UCSF core network. The attack left the servers inaccessible and malware uploaded during the breach encrypted data on the affected servers that was used by the attackers as proof of what had been perpetrated. https://sanfrancisco.cbslocal.com/2020/06/28/cyber-attack-ucsf-medical-school-ransom/ 04C9BE46-28E8-4C31-A5F0-0272B2AB4C8D Sun, 28 Jun 2020 13:15:34 -0500 Data Breach: MU Health Care experienced a data breach last fall involving patient information, it announced Thursday in a news release. On Sept. 21, MU Health Care learned an unauthorized person potentially gained access to the emails of some MU students affiliated with the health system. The information compromised included names, birthdates, medical record numbers, insurance information and some treatment information, including types of medication. Some social security numbers were also compromised for a limited number of patients, according to the release. https://www.columbiamissourian.com/news/higher_education/mu-health-care-experienced-data-breach-some-social-security-numbers-compromised/article_44cfbf74-ac24-11ea-b2a6-abdda5987b58.html 34DC186D-6D9E-4B93-A1E2-37DED3661AD0 Thu, 11 Jun 2020 12:04:15 -0500 Zoom Bombing: St. Bonaventure University says the FBI is investigating the racist "Zoom bombing" that occurred during a St. Bonaventure Zoom conversation on June 5. The school says its Office of Technology Services completed its investigation and turned its findings over to the Jamestown office of the FBI for further investigation. "More than one user hacked into the Zoom session just after 1 p.m. Friday and uttered racial epithets and drew swastikas and other offensive images on the PowerPoint presentation. They were quickly removed from the session, which continued without further incident," officials said in a release. https://www.wkbw.com/news/local-news/fbi-investigating-racist-zoom-bombing-during-st-bonaventure-university-zoom-conversation 08C73514-A65D-4E9D-A7F5-F70B636E9471 Wed, 10 Jun 2020 13:42:09 -0500 Email Hack/Scam: Emma Cutkomp thought she was applying for a legitimate part-time job as a personal assistant. She said her research mentor at Florida Atlantic University sent her the listing for the job, and her mentor got the listing from another faculty member using an official campus email address, that ended with @fau.edu. "It looked normal," said Cutkomp. "Nothing was fishy, all the links worked out. It was from an FAU staff member, so there's a credential there where you have some trust built up." https://cbs12.com/news/cbs12-news-i-team/i-team-fau-student-scammed-after-campus-email-hack 818F8130-9F5F-4B6D-B0AB-7322508FD89F Mon, 8 Jun 2020 14:12:33 -0500 Data Breach: A hacker began publishing stolen Michigan State University financial documents and personal information this week, shortly after MSU refused to pay a ransom. The documents were published Wednesday or Thursday, according to screenshots provided by Brett Callow, a threat analyst with the anti-malware company Emsisoft. The screenshots show 3.2 gigabytes of information have been published with more coming "soon" in a second installment. A sampling of some of the information published includes a student's passport, an MSU letter from 2014 offering someone a postdoctoral research associate appointment and a receipt from a pizza order, according to information provided by Callow. https://www.lansingstatejournal.com/story/news/2020/06/04/hackers-publishing-stolen-michigan-state-university-msu-documents/3144933001/ 7DCED047-ACE8-42B6-9530-B569C64A3739 Thu, 4 Jun 2020 11:57:17 -0500 Ransomware Attack: An official at Michigan State University said that a school computer system has been targeted by a ransomware attack threatening to publish student information. Dan Olsen, deputy spokesperson at MSU, confirmed today to FOX 17 that the university was recently the victim of a NetWalker ransomware security breach. He offered the following statement to FOX 17. "Within hours of the intrusion, MSU IT took prompt action and notified law enforcement agencies," Olsen said. "At this time, we believe the intrusion is isolated to one unit on campus. https://www.fox17online.com/news/local-news/michigan/msu-computer-system-breached-by-ransomware-attack 44E3DFCF-7C79-40A6-985D-9C2B1AF0AA65 Thu, 28 May 2020 14:59:31 -0500 Data Breach Lawsuit: A December data breach that jeopardized the personal information of thousands of current and former Wichita State University students -- some of whom attended the school decades ago -- is now the subject of a federal lawsuit. Michael Bahnmaier of Wichita is seeking class action status in the lawsuit, which accuses the university of negligence in keeping and storing sensitive data, waiting too long to alert potential victims about the hack, and "knowingly and deliberately" enriching itself by not paying for security measures that would have guarded against the breach. https://www.kansas.com/news/local/crime/article242844331.html B77A4B93-2907-4E2B-AE9D-B752CE65610C Tue, 26 May 2020 11:12:21 -0500 Online Proctoring & Privacy: Online proctoring has surged during the coronavirus pandemic, and so too have concerns about the practice, in which students take exams under the watchful eyes (human or automated) of third-party programs. Chief among faculty and student concerns are student privacy and increasing test anxiety via a sense of being surveilled. Pedagogically, some experts also argue that the whole premise of asking students to recall information under pressure without access to their course materials is flawed. This, they say, may only motivate students to game the system, when cheating is what online proctoring services seek to prevent. https://www.insidehighered.com/news/2020/05/11/online-proctoring-surging-during-covid-19?utm_source=Inside+Higher+Ed&utm_campaign=eebf0d01a5-DNU_2019_COPY_02&utm_medium=email&utm_term=0_1fcbc04421-eebf0d01a5-198624309&mc_cid=eebf0d01a5&mc_eid=c27b65b094 5ED2DE9E-6DC3-4C9B-9C47-376A221913D3 Mon, 11 May 2020 14:38:26 -0500 Zoom Bombing: Oklahoma City University held its virtual graduation celebration on Saturday, but the event was hacked by someone who broadcast a racial slur and a swastika as a student gave a blessing. The university used Zoom to host the virtual event. "Although we took safety precautions, unfortunately the digital platform we used to connect has become a target," Burger said. Pictures of students were displayed and a student gave a blessing when the racial slur and swastika suddenly appeared. https://kfor.com/news/local/oklahoma-city-universitys-virtual-graduation-hacked-racist-language-swastika-displayed-during-blessing/ E3ABDE50-5437-4047-962E-B8E8B7EE6EBB Sat, 9 May 2020 14:33:17 -0500 Cyber Attack: Students and digital security experts say York University must release more information about what the school calls an "extremely serious" cyber attack last week. York says the Friday evening attack corrupted a number of its servers and workstations, though it has not yet said if any sensitive information was stolen. In a statement, York said its IT department quickly severed the school's internet connection and shut down many of its online programs after the attack began, a move that mitigated the scope and severity of the breach. York has advised that everyone at the university will need to reset their passwords as a result of the attack. https://www.cbc.ca/news/canada/toronto/york-university-cyber-attack-1.5555106 A7B6B9F4-7902-4DDE-B021-D0204E69B9FA Mon, 4 May 2020 09:04:35 -0500 Network Security Breach: Illinois Valley Community College hired consulting firm Rehmann to unlock its servers after a security breach to its network was discovered Friday. "Step No. 1 is to secure and clear the environment to ensure it is safe to begin to unlock servers," said IVCC President Jerry Corcoran in a press statement. Vice President for Business Services and Finance Cheryl Roelfsema said restoring the network -- and completing a forensic audit to determine how Friday’s breach occurred -- should be completed early next week, if not sooner. https://www.newstrib.com/2020/04/27/ivcc-says-security-breach-audit-should-be-completed-by-early-next-week/ajj1e8i/ 858AEFD4-A10F-4DE8-BCFD-C80A4D062B60 Tue, 28 Apr 2020 11:01:01 -0500 Malware Virus: The FBI was notified of a malware incident last weekend that caused the University of Arkansas for Medical Sciences to shut down its information network, an agency spokesman said. Leslie Taylor, a spokeswoman for UAMS, confirmed Monday that the hospital "temporarily deactivated" some of its systems after detecting a "malware virus." Employee emails sent and received during the weekend were deleted by the malware virus, according to UAMS. Taylor said that no data -- including patient, student or employee information -- was compromised. She added that the "server downtime" has affected patient appointments, so some of them had to be rescheduled. https://www.arkansasonline.com/news/2020/apr/28/uams-shuts-down-information-network-aft-1/ 91A7C5B5-4D72-4383-A90C-757553E9B4EB Tue, 28 Apr 2020 10:29:30 -0500 Spear-Phishing Attack: More than 150,000 emails spreading the Hupigon RAT that use adult dating as a lure have been uncovered, with almost half being sent to U.S. university and college email addresses. Several U.S. universities have been targeted in a widespread spear-phishing attack that uses adult dating as a lure. In reality, the emails spread the Hupigon remote access trojan (RAT), known to be leveraged by state-sponsored threat actors. https://threatpost.com/us-universities-adult-dating-spear-phishing-attack/155170/ 27E66106-1DB2-476B-831A-64BEFF12BCBF Mon, 27 Apr 2020 10:41:45 -0500 Zoom Accounts Compromised: he latest in Zoom’s seemingly never-ending string of security issues is about half a million user accounts that have come up for sale on a dark web forum. These Zoom accounts appear to have been collected via credential stuffing, using username and password combinations that were obtained in past breaches of other companies. It’s to be expected that among the millions of users that have flocked to Zoom in the past two months will be some that re-use credentials that have been breached in other attacks, perhaps unbeknownst to them. However, the sheer number of Zoom accounts that were compromised in this way indicates that the video conferencing service has not been checking registered usernames and passwords against lists of known breached account credentials. https://www.cpomagazine.com/cyber-security/half-a-million-zoom-accounts-compromised-by-credential-stuffing-sold-on-dark-web/ 14ACE8C7-AC3E-4F97-957D-1C65113CCBFA Mon, 27 Apr 2020 10:39:51 -0500 Third Party Data Breach: Michigan State University said it has been informed by E-commerce vendor Volusion, which provides online payment processing to thousands across the country, of a nationwide data breach. The university said it was informed that the data breach "impacted less than 300 customers who processed credit card payments for good through shop.msu.edu between Sept. 7, 2019 and Oct. 8, 2019." "While there was no breach to Michigan State University’s networks or systems, this breach of a third-party vendor is concerning and compels us to do what we can to help those impacted by sharing this important information," said MSU Chief Information Officer Melissa Woo. https://www.wilx.com/content/news/MSU-says-data-breach-impacts-hundreds-569818441.html 1DAF6DF2-DDE5-4F5D-955E-34620BB32337 Tue, 21 Apr 2020 10:36:31 -0500 Online Classes: Saboteurs using "racist and vile language" infiltrated and disrupted online classes held by the University of Southern California, the school’s president disclosed Wednesday, the latest incident in a trend some have dubbed "Zoombombing." Zoom is a videoconferencing tool that many colleges and universities are using to help finish their semesters through remote teaching, after the coronavirus pandemic put a halt to in-person classes. https://www.washingtonpost.com/education/2020/03/25/zoombombing-disrupts-online-classes-university-southern-california/ 27B8B788-AFCA-4CCF-A462-86A1A1EFA7A4 Wed, 25 Mar 2020 14:07:11 -0500 Privacy: Most colleges and universities across the country have pivoted to remote learning in an effort to stem the spread of the novel coronavirus sweeping the globe. While the sudden change is necessary, some privacy experts worry about the unintended consequences. Ensuring the software colleges are now using doesn't violate the Family Educational Rights and Privacy Act, or FERPA, is one key issue, according to Amelia Vance, director of youth and education privacy at the Future of Privacy Forum. Another issue is the potential for increased surveillance of students as colleges switch from in-person classes to virtual ones. https://www.insidehighered.com/news/2020/03/25/pivot-online-raises-concerns-ferpa-surveillance?utm_source=Inside+Higher+Ed&utm_campaign=b7abeb7ead-DNU_2019_COPY_02&utm_medium=email&utm_term=0_1fcbc04421-b7abeb7ead-198624309&mc_cid=b7abeb7ead&mc_eid=c27b65b094 7E0B684F-8A0E-4149-8DF5-7F763D59294E Wed, 25 Mar 2020 14:05:20 -0500 Data Breach: Some University of Utah Health patients’ personal medical data, including medical record numbers, dates of birth and limited clinical information, was hacked after employee emails were compromised, the hospital said on Friday night. Officials said as of Friday, there was no indication patient information had been misused. On Feb. 3, officials found that a common malware may have been put on an employee’s workstation, which was then secured by U of U Health, and an investigation was opened into this incident. https://www.ksl.com/article/46732931/university-of-utah-health-says-some-patients-data-compromised-in-phishing-security-breach 220BF283-3258-43F3-AF78-C8487197491E Sat, 21 Mar 2020 15:21:01 -0500 Data Breach: Personal and tax information for more than 1,700 current and former employees of the College of DuPage may have been impacted by a recent data security breach, officials at the Glen Ellyn school said Monday. President Brian Caputo said officials believe it's unlikely the information contained in the 2018 W-2 forms of 1,755 current and former COD employees was obtained or used for fraudulent purposes. https://www.dailyherald.com/news/20200316/college-of-dupage-data-security-breach-could-affect-1700-current-former-employees 0EE2ECA5-DA07-4090-AEA5-59A09259F333 Tue, 17 Mar 2020 10:40:30 -0500 Data Breach: After an investigation of a Dec. 2019 data breach, a "leading computer forensic firm" found that a server that was compromised during the breach contained names, email addresses, dates of birth "and, in some cases, Social Security numbers," of former and current Wichita State students, faculty and staff, according to a university statement. David Miller, interim chief information officer, said in his statement that all affected individuals would receive a letter to their home address. https://thesunflower.com/49658/news/wsu-student-faculty-staff-information-potentially-compromised-in-december-data-breach/ 0C59B92A-F18E-4724-9E61-91BEDFF2A781 Fri, 6 Mar 2020 09:39:15 -0500 Cyber Attack: The University of Kentucky and UK HealthCare conducted a major reboot of their computer systems early Sunday morning in an effort to end a month-long cyber attack that university officials say is the most substantial cyber intrusion in university history. The unidentified "threat actors" infiltrated Kentucky’s largest university system in early February from somewhere outside the United States and installed malware that utilized UK’s vast processing capabilities to mine cryptocurrency, such as Bitcoin, said Eric Monday, UK’s executive vice president for finance and administration. https://www.kentucky.com/news/local/education/article240970221.html D9741934-154F-4C04-8FF6-70F62480D251 Sun, 8 Mar 2020 13:17:43 -0500 Data Breach: A Metro Vancouver university has sent out an alert that a data breach has taken place at the institution. Simon Fraser University (SFU) states on its website that a privacy breach was identified on February 28. Information that was exposed includes SFU Computing IDs; SFU student or employee ID numbers; first, last, and preferred names; birthdates; employee groups; mail list memberships; course enrollment; external email addresses; web form data; and encrypted passwords. https://www.straight.com/tech/1367431/sfu-hit-ransomware-attack-resulting-data-breach BF07BD73-496E-4BB0-A032-9717B9E2D98E Mon, 2 Mar 2020 19:19:00 -0600 Data Breach Lawsuit: Imagine that your most private medical information is suddenly available worldwide on the internet. That’s what happened to nearly a million UW Medicine patients. The huge data breach -- one of the largest in state history -- occurred because of human error and was first reported by KIRO 7 in February of 2019. Because of the breach, private medical files were available online -- in Excel spreadsheets -- for nearly three weeks. The breach has now led to a class-action lawsuit that could eventually represent all 974,000 patients whose names and personal health information were compromised. https://www.kiro7.com/news/tonight-530-uw-medicine-patients-fearful-after-health-information-leaked/TPTTBFVMVVE7RBLTVSI4ALL5QA/ 029B7000-D451-4E4D-B6AA-89E7370BF8CB Wed, 19 Feb 2020 13:36:27 -0600 FERPA Data Breach: Indiana University officials say a tool designed to help university staff access student grade point averages was unintentionally made available to the entire IU community. Spokesperson Chuck Carney says the tool was immediately disabled once the ability to access all enrolled students' GPAs was made known to IU officials. The data breach could be a violation of the Family Educational Rights and Privacy Act, which requires consent before an educational institution can disclose personal information from educational records. https://indianapublicmedia.org/news/iu-student-gpas-accidentally-made-available-to-all-university-students.php 2E895C4B-AFFD-4F07-96A4-561BB6C80431 Thu, 6 Feb 2020 14:06:17 -0600 Phishing Scam: More than 5,100 St. Louis Community College students and employees had their personal information accessed via a phishing scam. The data breach was discovered on January 13, according to a spokesperson for the college. Cybercriminals targeted employees and students through "a series of email phishing attacks" which ultimately gave them access to data stored in employee email accounts. That information included names, personal and work cellphone numbers, college email and personal email addresses, dates of birth, and addresses. Seventy-one people had their Social Security numbers compromised as well. https://fox2now.com/2020/02/04/phishing-scam-targets-stlcc-private-information-exposed/ D609F6CF-13C1-466A-95D0-430B4F9099F5 Tue, 4 Feb 2020 11:35:16 -0600 Website Link to Porn: An official Cal Poly website for the San Luis Obispo university’s Orfalea College of Business has all the related links you would expect: course descriptions, career pages, student groups and ... porn? For several months, it appears that people who clicked to learn more about a professional student group called Information Systems Association were instead directed to a page filled with images of hardcore pornography. It appears that the student group didn’t pay the domain fee for its old URL address, and a porn site scooped it up. The URL now features pornography. Internet receipts show a new owner registered the web address in October 2019. https://www.sanluisobispo.com/news/local/education/article239761473.html 5602C78F-483C-4FE4-A82B-20F142BCB2D3 Wed, 29 Jan 2020 10:57:27 -0600 Cyberattack: When "malicious actors" carried out a cyberattack on Regis University last August -- crippling the Denver campus’s IT network and downing phones, email and Wi-Fi -- university officials paid the hackers a ransom in hopes of restoring their incapacitated systems. Yet even after that payment, which Regis leaders publicly revealed for the first time to The Denver Post, the cyberattack still impaired day-to-day operations at the private Jesuit college for months. https://www.denverpost.com/2020/01/28/regis-university-ransomware-cyberattack/ C4583BF6-018C-444A-8EC1-71314BBE253A Tue, 28 Jan 2020 11:02:46 -0600 Tracking App: University of Missouri students, be warned: If it’s not Big Brother watching you, it might be your professors and university administrators. The school is using hidden technology and an app on student cellphones to keep track of who is in class and who is not. Now, as a test pilot, the school is expanding the program to any student new to campus for this semester, which starts Tuesday. Faculty volunteered to have their classes be part of the test. Their students won’t be given a choice. https://www.kansascity.com/news/state/missouri/article239139523.html 662D1B95-6981-4D87-B200-440679E52C8E Tue, 21 Jan 2020 11:14:02 -0600 Recruiting Software Breach: Front Rush, a technology company that provides services to college athletics programs, exposed a server containing more than 700,000 files to the open internet, including college athletes' medical records, performance reports, driver licenses, and other personal information. Front Rush works with over 30,000 coaches and 9,500 teams according to its website. The company confirmed the data exposure in a statement. Items exposed included students' SAT scores, personal address, date of birth, physical evaluations, post-injury reports, performance reviews from specific teams for particular players, and athletic financial aid agreements. https://www.vice.com/en_ca/article/g5xggy/front-rush-college-athlete-recruiting-software-exposed-medical-information-grades 3889A710-244B-40AD-8A3B-C5192D1E7601 Wed, 8 Jan 2020 14:04:59 -0600 Cyberattack: Wallace State Community College is delaying the the start of classes in the 2020 spring semester due to a cyberattack on the college’s online services. Classes will begin on Wednesday, Jan. 8. Registration has been extended through Jan. 15. In a statement, officials said student and employee data was not breached in the cyberattack. https://www.al.com/news/2020/01/cyberattack-postpones-start-of-classes-at-wallace-state-community-college.html 028DCC7C-C467-49CA-A741-8F559ED93EBA Fri, 3 Jan 2020 13:08:09 -0600 Erroneous Email: Lehigh University accidentally sent a congratulatory email to 137 applicants not selected for early admission. But within hours, Lehigh officials realized someone had emailed the congratulations to all who applied for early admission instead of just those who were accepted. Students who apply for early decision can be either admitted, denied or deferred to the regular admission round. Lehigh expects to have 1,425 freshman next fall. Bruce Bunnick, director of admissions at Lehigh, sent a follow-up email this week to apologize. https://www.mcall.com/news/local/bethlehem/mc-nws--20191220-ztwhjbxz7vba5hd7pduvtv63cu-story.html 6D24F6D7-E4C0-41D5-98DF-F5924ABD2BA6 Wed, 1 Jan 2020 13:31:42 -0600 Cyber Attack: Walla Walla University officials are investigating a campus-wide cyber attack that crashed online networks and phone lines this fall-finals week. School officials today referred to the hacking, discovered Monday, as a ransomware incident but did not confirm a monetary ransom was demanded. WWU’s email system is working once again, but a person answering a general contact phone on the campus said all other office phones have not been restored as of this morning. https://www.union-bulletin.com/news/education/walla-walla-university-internet-system-hacked/article_06f47c15-da80-5920-be0e-1a5f572be995.html 33D66814-3608-4CC2-8127-A72F240E081B Thu, 12 Dec 2019 15:20:02 -0600 Data Breach: The University of North Carolina at Chapel Hill School of Medicine today announced it is mailing notification letters to an estimated 3,716 persons whose information may have been affected in a cyber phishing incident involving some School of Medicine email accounts. A leading independent forensic firm conducted a lengthy and extensive review that concluded on Sept. 13, 2019, and confirmed that an unauthorized third party gained access to several email accounts during the approximate timeframe of May 17, 2018, to June 18, 2018. This review confirmed that some patients’ personal information was contained in the affected email accounts, possibly related to treatments received when they were seen by a UNC physician. https://uncnews.unc.edu/2019/11/12/school-of-medicine-notifies-patients-about-data-breach-from-phishing-incident/ B44304E5-8138-45C1-AC04-4D32859F95F4 Tue, 12 Nov 2019 18:27:15 -0600 Privacy Breach: Approximately 1,100 students' personal information was sent out inadvertently by a Georgia Tech employee, the institution said Thursday. The staff member sent an email and, in doing so, attached a file that included student names, ethnicity, Georgia Tech ID numbers, Georgia Tech e-mail addresses, and GPAs. The information did not include social security numbers or birth dates. https://www.11alive.com/article/news/local/georgia-tech-data-breach/85-4b789858-6fd2-4b9d-a866-0174d7dc01fd 29F8E27C-3838-4221-924F-4D0D84056A87 Thu, 7 Nov 2019 15:27:58 -0600 Privacy Breach: Washington University School of Medicine announced today that it began mailing letters to patients whose information may have been involved in a recent security incident at its Department of Ophthalmology and Visual Sciences. On Sept. 3, 2019, the School of Medicine learned that a small number of patients had received a letter regarding an ophthalmology department employee. The School of Medicine quickly began an internal investigation and determined that the letter was sent by an individual who knew the employee. The unauthorized individual took the employee’s personal laptop and used it to access the employee’s School of Medicine email account between April 29 and Sept. 3, 2019. https://medicine.wustl.edu/news/washington-university-school-of-medicine-notifies-patients-of-privacy-breach/ 042413A5-ECD9-4A5A-BC8D-8B792E0A7656 Fri, 1 Nov 2019 13:08:17 -0600 Spam Emails/Disabled Accounts: Over 1,000 Boston University students were forced to change their account passwords after BU servers were flooded with spam emails from student accounts in late September, university officials said. The spam is believed to be a result of a 2018 breach of the educational site Chegg. Eric Jacobsen, executive director of Information Security at BU, wrote in an email that student accounts that displayed spam activity were temporarily disabled and the students were forced to change their passwords as a means of resecuring their accounts. https://dailyfreepress.com/blog/2019/10/10/following-flood-of-spam-emails-more-than-1000-student-accounts-temporarily-disabled/ 7555B3F5-04FD-4D18-B69C-01B2BBD1B113 Thu, 10 Oct 2019 10:54:48 -0500 Privacy Breach/FERPA: On Oct. 4, an email including information from the College of Humanities and Social Sciences leaked private information about students, faculty and staff members to approximately 50 Southeast communication students. The email was sent with personally identifiable information (PII) to the communication students within the major. The email included three attached excel files, including information such as Southeast ID numbers, GPAs and academic standing, among other personal information. https://www.southeastarrow.com/story/2639662.html AC8845F9-D645-4CBF-8F97-587B16666DF6 Tue, 8 Oct 2019 12:35:37 -0500 Phishing attack: The largest medical center in the state has announced thousands of patients may have had personal information exposed to hackers after a cyberattack in August. UAB Medicine sent a news release Friday afternoon saying over 19,000 patients may have had personal information breached after hackers gained access to some employee email accounts. The hackers sent an email on August 7 that looked like an authentic request from an executive asking employees to complete a survey, according to UAB. https://www.al.com/news/birmingham/2019/10/thousands-of-uab-patients-info-seen-by-hackers-in-cyberattack.html 5B3D874B-4F64-435D-A520-0BB1A3913837 Mon, 7 Oct 2019 09:59:34 -0500 Accidental Data Release: An administrator in the University of Pittsburgh Graduate School of Public Health who was notifying seven students of balances due accidentally emailed them a spreadsheet attachment with balance information for them and 31 other students, officials said Friday. No banking or Social Security information was included in the accidental release that occurred last week, said Pitt spokesman Kevin Zwick. A note sent to students within the school said anyone receiving an Excel spreadsheet regarding student tuition information attached to a Sept. 24 email should delete it from user accounts and devices, as well as empty email trash in case one’s account is compromised. https://www.post-gazette.com/news/education/2019/10/04/data-breach-hack-student-privacy-University-of-Pittsburgh-Pitt-health-college-students/stories/201910040143 A08A08B7-0549-4088-AD9D-5971C81D6A48 Fri, 4 Oct 2019 12:55:41 -0500 Student Email Hack: On Sept. 19 Kent State announced over 3,000 student emails had been hacked the week before. According to Robert Eckman of Kent State’s IT department, the breach was a result of credential harvesting. Eckman said in an email, "Credential Harvesting is the process of using some form of technical or brute force in means of gaining both the username and password of a legitimate account holder. Often times hackers use previously hacked credentials against legitimate authentication systems (like the Kent State login) to see if they are still "usable." In other words, if a student had used the same username and password on another site that had been hacked and has not changed their KSU password, then that hacked credential would work here at KSU as well." http://www.kentwired.com/latest_updates/article_f8e73956-e587-11e9-b613-9394e83236a4.html 193CE100-14F6-4903-8682-848C9F0EF474 Wed, 2 Oct 2019 12:53:59 -0500 Erroneous Email: Sacramento State accidentally accepted 3,500 waitlisted students for fall admission, resulting in 500 additional students who began classes this semester. The error occurred when the waitlisted students were mistakenly invited to the university’s Admitted Students Day this year, according to Brian Henley, the university’s director of admissions and outreach. The university sent an email out in March to all accepted students, welcoming them to the special event. When the university invited waitlisted students to visit the school, the email began with, "Congratulations." https://www.sacbee.com/news/local/education/article235072697.html 5B39C60D-6FA0-4EAF-AB5D-B3BFE08336F8 Sat, 14 Sep 2019 11:32:17 -0500 Phishing Attack: Marquette students were puzzled Tuesday afternoon when a new message appeared in their inboxes. The sender was another Marquette student, claiming their aunt recently moved to the area. The aunt was offering $350 weekly for students interested in pet sitting her dogs. The message was sent to dozens of students, and the emails came from different student senders. https://marquettewire.org/4016316/news/email-hack-sends-strange-message-to-students/ B7552D65-C3F9-4F83-B5B0-2F6B5CA843C4 Tue, 10 Sep 2019 09:31:40 -0500 Cyberattack: Regis University in Denver has shut down its computer, phone and email systems because of a cyberattack that it says probably came from outside the United States. The Denver Post reports the private Catholic school disconnected its networks Thursday and set up another website to keep students and faculty informed. University officials declined to say whether it was a ransomware attack. They said they're still investigating. https://www.thedenverchannel.com/news/local-news/college-in-denver-shuts-down-its-network-after-cyberattack CBC4524A-67CF-4396-8A47-968DDD68A483 Tue, 27 Aug 2019 11:05:19 -0500 HIPAA Data Breach: Arizona State University has notified 4,000 students that their email addresses "were accidentally revealed" in a large data breach. ASU told the students on Aug. 16 it happened in late July when a university office sent bulk emails about renewing health insurance coverage without masking the identities of the recipients. This unintended action is considered a data breach under the Health Insurance Portability and Accountability Act (HIPAA). https://www.azfamily.com/news/data-breach-asu-accidentally-reveals-email-addresses-of-students/article_11cbf8de-c2ca-11e9-9c32-2bf264d0f9ca.html 8DD291E0-FAD8-4C0D-B015-62EA4CCB9B13 Mon, 19 Aug 2019 09:41:42 -0500 Health Information Breach: Michigan Medicine is notifying approximately 5,500 patients about a phishing email campaign that may have exposed some of their health information. During the campaign, emails containing a malicious link were sent to over 3,200 Michigan Medicine employees. If the link was clicked, employees were directed to a webpage that looked like a legitimate site requesting the username and password for their email account. In July 2019, three employees clicked into this email, resulting in the perpetrator gaining access to the employees’ email accounts. The accounts were then used to continue to send additional phishing emails. Michigan Medicine discovered the compromised accounts on July 9 and July 12. https://www.uofmhealth.org/news/archive/201908/michigan-medicine-notifies-patients-health-information B316D93A-A0FA-4E01-894B-470977F607A9 Fri, 16 Aug 2019 13:29:29 -0500 Website Hack: Multiple websites affiliated with the University of Florida student government association were hacked early Saturday. Information on the sites was replaced with obscenities and a political message. The twitter user claiming responsibility, @VandaTheGod, has hacked many other local government and university websites in multiple countries. The sites were restored around 4p.m. Saturday. https://www.wcjb.com/content/news/University-of-Florida-websites-hacked-533369191.html C91EB2F5-D805-4211-B3FD-2C7EF04E04B6 Sat, 10 Aug 2019 09:01:23 -0500 Pearson, the world’s largest education publisher, has notified its customers of a data breach that has affected approximately 13,000 school and university accounts, exposing the personal information of an unknown number of students. The breach, which exposed names, birthdays and email addresses of students, primarily in the U.S., was brought to the attention of Pearson administrators by the Federal Bureau of Investigation back in March 2019, the Wall Street Journal reported on Wednesday. https://edscoop.com/pearson-hack-exposes-student-data-connected-to-13000-accounts/ 993BAAF1-0912-4E2C-B0B6-BFF3B3CE2FBF Thu, 1 Aug 2019 14:06:27 -0500 System Vulnerability: The U.S. Department of Education (Department) has obtained information regarding the active and ongoing exploitation of a previously identified vulnerability in the Ellucian Banner (Banner) system. The vulnerability only occurs in Ellucian Banner Web Tailor versions 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4. The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability. https://ifap.ed.gov/eannouncements/071719ITSecurAlertExploitationEllucianBannerSysVulnerability.html CA5EE810-7A47-4A53-AFCB-23172818A4C3 Wed, 17 Jul 2019 10:30:09 -0500 Data Breach: The University of Alabama says a 2009 computer security incident involving a server for Brewer-Porch Children’s Center may have exposed some personal information for about 1,400 former clients, employees and medical providers. In June, staff preparing an old server for disposal discovered unauthorized login activity between Oct. 24, 2009, and Dec. 9, 2009, from outside the United States. https://www.tuscaloosanews.com/news/20190716/university-of-alabama-warns-of-computer-breach-at-brewer-porch-center 8AE0551F-9582-4129-A5A8-0A183DF5B8F0 Tue, 16 Jul 2019 13:54:43 -0500 Stolen Laptop: More than 900 current and former employees of the University of Nebraska-Lincoln's Institute of Agriculture and Natural Resources have been offered identity theft protection after a laptop containing their personal information was stolen overseas. Thieves made off with the laptop of a consultant who helps manage IANR's employee retirement benefits while that individual was on vacation in Italy, UNL said in a news release. While the names, Social Security numbers, home and email addresses and financial account information on the laptop were password-protected, they were not encrypted, leaving UNL employees vulnerable. https://journalstar.com/news/local/unl-offering-identity-protection-after-laptop-with-personal-information-stolen/article_161c5924-15cf-5fd6-911d-7061c625ed67.html 3DC7F8B2-9C4C-4F45-8A03-619249336754 Tue, 16 Jul 2019 11:34:53 -0500 Hack/Ransom: Monroe College’s computer system was hacked by someone demanding a $2 million ransom in Bitcoin, the Daily News has learned. A hacker crippled the Bronx-based school’s computer network by encrypting its files remotely at 6:45 a.m. Wednesday, authorities said. The school’s website was completely inaccessible after the hack, though its Facebook page is still up. https://www.extremetech.com/internet/294213-how-google-legally-profits-from-massive-fraud-on-its-platform B26A8FCC-5CBC-44FB-A434-C9D88283A4CF Thu, 11 Jul 2019 12:36:14 -0500 Website Hack: A hacker or simply call them a cyber criminal hacked into the independent student newspaper of the University of Ottawa (uOttawa) "The Fulcrum" and ended up deleting the entire website early Sunday morning. The Fulcrum has been serving the University of Ottawa since 1942 while the website has been online since 2006. The deleted content of the website goes all the way back to 2010. https://www.hackread.com/hacker-deletes-entire-student-newspaper-website-of-university-of-ottawa/ 0622E63B-7E2D-419A-8503-DD5F80ECBA35 Mon, 1 Jul 2019 14:38:56 -0500 Application/Email Scam: We’ve all heard stories about scam artists targeting consumers on the internet. Now, community colleges appear to be in the crosshairs of online scammers. The North Carolina community college system has discovered hundreds of bogus electronic applications mixed in with legitimate ones, and as they try to sort them out, they are also trying to figure out why they are being targeted. It appears that many of these bogus applications are not coming from real people, but bad actors in other countries making up fake identities. They are using those fake names to pose as college applicants, hoping to be issued a student email account. While most four-year institutions don’t give students an email account until they’ve started school, many state community colleges issue applicants an email address as soon as they apply. https://www.wect.com/2019/06/24/bogus-applications-plaguing-nc-college-campuses-pose-security-risk/ 8363B760-6D4D-43D3-882D-71AD39CFD2D4 Mon, 24 Jun 2019 10:44:23 -0500 Data Breach: Three U.S. universities have disclosed data breach incidents impacting personally identifiable information of students or employees following unauthorized access to some of their employees' email accounts. All three universities -- Graceland University, Oregon State University, and Missouri Southern State University -- have notified the individuals whose personal information was potentially stolen or accessed about the security incidents. https://www.bleepingcomputer.com/news/security/three-us-universities-disclose-data-breaches-over-two-day-span/ EFB166DA-4DFF-4DBC-883F-DE0D92A5446F Sat, 15 Jun 2019 10:47:09 -0500 Personal data, including social security numbers and dates of birth, of Augustana College students and staff have been compromised, according to a letter sent to students. In the letter, the school told recipients that "a ransomware attack" took place on one of the school’s servers "on or about February 19, 2019" but said there was "no evidence of attempted or actual misuse of this information." https://www.kwqc.com/content/news/Personal-data-of-Augustana-College-students-and-staff-compromised-after-data-breach-509866161.html 6E6557C5-88E4-46F8-B1E5-3B521F8E1530 Mon, 13 May 2019 10:14:07 -0500 Imagine having your personal and medical information stolen not once, but twice. It happened to a VCU Health System patient. And it was an inside job. The news of the security breach came in a letter. It stated her "clinical information, name, social security number, diagnosis and medications" had been inappropriately accessed by an employee. The letter also stated it had been going on for nearly two years. https://www.virginiafirst.com/news/local-news/vcu-patient-s-personal-information-stolen-twice/1984456740 A4DAC131-B318-4E8D-A526-4736150025A8 Mon, 6 May 2019 10:32:38 -0500 A group of hackers has planted malicious JavaScript code that steals payment card details inside the e-commerce system used by colleges and universities in Canada and the US. The malicious code was found on 201 online stores that were catering to 176 colleges and universities in the US and 21 in Canada, cyber-security Trend Micro said in a report released on Friday. https://www.zdnet.com/article/hackers-steal-card-data-from-201-online-campus-stores-from-canada-and-the-us/ 4103E58A-8424-48A4-AF9E-A6572BB77CF7 Sat, 4 May 2019 13:16:31 -0500 Seattle University is warning that the names and Social Security numbers of more than 2,000 people could be exposed after a university-issued laptop was lost last month. Files containing information for 2,102 current and former faculty, staff and their dependents are accessible from the unencrypted laptop, which a university employee lost on a King County Metro bus on March 26, according to a statement from the university. https://www.seattletimes.com/seattle-news/seattle-university-laptop-containing-2000-social-security-numbers-lost/ 61E8E64D-2D09-47B1-8722-199B1E788B55 Wed, 1 May 2019 11:01:00 -0500 The University of Alaska is notifying potentially affected students and others after an investigation into a data privacy incident revealed unauthorized access to some UA email accounts. The breach took place over a year ago, but it wasn’t until Friday at 11 pm that the university made public the breach through third-party news release services such as PRWire.com. The problem dates to February 2018, when the university officials began receiving reports from people having problems accessing their university email accounts. https://mustreadalaska.com/university-warning-of-data-breach-year-later/ BADCA9C5-6D8F-4DA3-90E2-470E80556768 Sun, 28 Apr 2019 12:10:17 -0500 Campus-wide network problems caused Western Michigan University in Kalamazoo to lose Wi-Fi Thursday, the last day of final exams. The university said in an afternoon tweet that specialists were working on a fix. It was not immediately clear what caused the problem. https://www.freep.com/story/news/local/michigan/2019/04/25/network-outage-western-michigan-university/3580470002/ 1C785356-50E9-443B-84C0-DE4D18A7345E Thu, 25 Apr 2019 11:56:24 -0500 Cape Cod Community College has recovered more than 80 percent of the money stolen during a cyber-attack this past fall, according to an email dated Thursday from college president John Cox. An investigation by banking and government authorities helped the school cover $677,594 of the $807,130 stolen. In November, cyber criminals gained access to the college’s banking by using a combination of malware and sophisticated social engineering exploitation. https://www.boston25news.com/news/massachusetts-college-recovers-80-of-money-stolen-by-hackers/941384722 54599511-10B2-4C6C-9DEF-10A8BF683632 Fri, 19 Apr 2019 14:18:23 -0500 A King County judge on Thursday approved a settlement in a class-action lawsuit against Washington State University over a potential data breach in April 2017. WSU and its insurers agreed to pay up to $5.26 million and provide potential victims an additional two years of free credit monitoring. The suit stemmed from a burglary at an Olympia storage facility in which someone stole a safe containing a hard drive, which in turn contained sensitive information on nearly 1.2 million people, including names, Social Security numbers and personal health records. http://www.spokesman.com/stories/2019/apr/19/wsu-settles-class-action-suit-over-2017-hard-drive/ C9E1A7FC-C6C7-44A9-9ACC-2D4CE9DE962D Fri, 19 Apr 2019 11:37:11 -0500 The College of Saint Rose graduate who inserted a "USB Killer" device into dozens of school computers in February pleaded guilty Tuesday to causing more than $58,000 in damage to the computers, officials said. Vishwanath Akuthota, 27, admitted that on Feb. 14 he inserted a "USB Killer" device into 66 computers, as well as numerous computer monitors and computer-enhanced podiums owned by the College of St. Rose, the U.S. Attorney's Office said. https://www.timesunion.com/news/article/Saint-Rose-grad-pleads-guilty-to-using-USB-13772483.php 6EE885FD-60AF-4383-AC2F-F45F9011D520 Tue, 16 Apr 2019 13:42:01 -0500 A Georgia Tech database breach has exposed the personal information of up to 1.3 million current and former faculty members, students, staff and student applicants, according to school officials. Georgia Tech announced Tuesday that a central database was accessed by an unknown outside entity through a web application, though it is unclear exactly who was affected . The school, which typically has around 30,000 students enrolled, said it learned of the security breach in "late March." https://www.ajc.com/news/breaking-news/breaking-data-breach-exposes-georgia-tech-faculty-students/zAUUNWy5hoHQ8bNvMxcsWL/ 28D4FFDC-DA2F-46D2-A13B-398939D5EDD1 Tue, 2 Apr 2019 12:55:19 -0500 A class action lawsuit has been proposed which seeks to recover damages for patients whose protected health information (PHI) was exposed in the UConn Health phishing attack that was discovered on December 24, 2018. The lawsuit has been filed against the University of Connecticut and UConn Health and seeks damages, equitable, declaratory, and injunctive relief to prevent a recurrence of a data breach. A jury trial is being sought. https://www.hipaajournal.com/class-action-lawsuit-filed-over-uconn-health-phishing-attack/ 7F5FC7E2-D3DD-4F2E-BB8B-7D3C38FAE1D5 Tue, 26 Mar 2019 13:49:30 -0500 Frictions between Washington and Beijing have reached American academia as China hawks in the Trump administration and Congress increase scrutiny on Chinese companies' collaboration with U.S. universities and the exchange students who attend them. The increased oversight, which includes looming rules on transferring technology abroad, poses a risk for U.S. schools as they seek to maintain their status as world leaders in research. Huawei Technologies, the world's largest supplier of telecommunications equipment, has become the most visible target of scrutiny. https://asia.nikkei.com/Economy/Trade-war/US-universities-under-pressure-to-keep-Huawei-at-arm-s-length BA3C72CD-0CAD-4E60-80E7-CAF8728BC249 Sun, 17 Mar 2019 13:54:52 -0500 As she sat in the airport with a one-way ticket in her hand, Tiffany Filler wondered how she would pick up the pieces of her life, with tens of thousands of dollars in student debt and nothing to show for it. A day earlier, she was expelled from Tufts University veterinary school. Filler, 24, was accused of an elaborate months-long scheme involving stealing and using university logins to break into the student records system, view answers, and alter her own and other students’ grades. https://techcrunch.com/2019/03/08/tufts-grade-hacking/?fbclid=IwAR0Enl37P-gH81jdIX2Y8wELdUo1W3vgDn9RD3ZRJDH4qPM896ETIPlk0fE 3AF74983-269B-4C2B-B3CB-D3E4A7DB87DF Fri, 8 Mar 2019 11:51:53 -0500 Personal information including names, student numbers, addresses and banking information of some University of Waterloo students was accidentally sent to a mailing list of 2,000 students, the school says. The emails went out Wednesday evening. Of the emails sent to the mailing list, 15 contained some private information like names and student numbers, Matthew Grant, the university's director of media relations, told CBC Kitchener-Waterloo in an interview. https://www.cbc.ca/news/canada/kitchener-waterloo/university-waterloo-data-email-breach-information-quest-1.5048814 47CB4154-BA80-4D8A-8512-51AB0D108922 Fri, 8 Mar 2019 11:52:25 -0500 Three colleges across the U.S. have been hacked. And now, the hackers are seeking a big payday before they hand over information. Oberlin College in Ohio, Iowa-based Grinnell College, and New York’s Hamilton College were targeted recently by hackers that stole data on students applying for admission to their schools, according to The Wall Street Journal. The hackers were able to dupe college staff members into handing over passwords and took control over databases that housed student applicant information. Those who stole the data are now seeking one bitcoin--currently traded at approximately $3,800--from students to retrieve their "entire admission file," including teacher recommendations, admissions department comments, and more. http://fortune.com/2019/03/08/college-applicant-ransomware-hack/ 9CAA87EC-9505-486C-A3CB-EAE400612C66 Fri, 8 Mar 2019 14:03:10 -0600 A $1-million study once led by Peter Jones -- a professor under investigation by the University of Manitoba -- is on pause and its research is in jeopardy after an audit revealed the personal health information of more than 400 participants was breached. Letters went out on Tuesday to 420 participants of The Manitoba Personalized Lifestyle Research Program (TMPLR) -- a study that looked at how genetics and lifestyle influence chronic diseases -- informing them of the breach under The Personal Health Information Act. https://www.cbc.ca/news/canada/manitoba/manitoba-university-health-breach-1.5046017 105CEBD4-289E-43A6-99AC-FF1D455B4603 Wed, 6 Mar 2019 11:23:38 -0600 Chinese hackers singled out over two dozen universities in the US and around the world in an apparent bid to gain access to maritime military research, according to a report by cybersecurity firm iDefense, which was obtained by The Wall Street Journal. The hackers sent universities spear phishing emails doctored to appear as if they came from partner universities, but they unleashed a malicious payload when opened. Universities are traditionally seen as easier targets than US military contractors, and they can still contain useful military research. https://www.theverge.com/2019/3/5/18251836/chinese-hackers-us-servers-universities-military-secrets-cybersecurity A2A6CFD7-C7E6-4FC6-A108-B7D230E7B615 Tue, 5 Mar 2019 10:22:50 -0600 A Naperville man was charged this week with stealing the identity of a west suburban couple after their personal information was compromised during a 2015 data breach at the University of Chicago, police said. Rehan Arif, a 21-year-old from Plainfield, was charged with felony counts of financial identity theft after he was arrested Tuesday in an investigation on behalf of a Riverside couple who reported thousands of dollars in fraudulent purchases made in their names, according to a news release from Riverside police. The woman, 58, and her husband were former employees at the UChicago Department of Medicine, which was hacked in 2015, police said. http://www.fox32chicago.com/news/crime/suburban-man-charged-with-id-theft-stemming-from-2015-uchicago-data-breach 710ED0DB-35D3-406C-803B-30E2A017FA2F Fri, 1 Mar 2019 11:14:37 -0600 Florida Keys Community College is taking action after discovering that it became the target of a phishing email campaign that compromised several employee email account credentials. On October 19, 2018 Florida Keys Community College learned of suspicious activity regarding an employee's email account. The investigation determined that an unknown individual had accessed certain College employees' email accounts between May 5, 2018 and November 5, 2018. The investigation in this matter confirmed that some combination of the following types of personal information may have been accessible as a result of the incident: name, address, date of birth, Social Security number, passport information, medical information, and username and password https://www.prnewswire.com/news-releases/florida-keys-community-college-provides-notice-of-data-security-incident-300803710.html D44562FF-6D4E-48DE-8613-C8EAD8749B06 Fri, 1 Mar 2019 09:45:52 -0600 A data breach at the University of Connecticut Health Center has potentially compromised information for approximately 326,000 individuals, the facility said in a recent letter to patients. The Health Center also said in a statement that for 1,500 patients that information includes Social Security numbers. After learning that "an unauthorized third party" gained access to employee email accounts, health center officials notified law enforcement and hired a forensic security firm. http://www.myrecordjournal.com/News/State/Data-breach-affects-326-000-UConn-Health-Center-patients.html AC8E6E6A-4846-4EB6-AEA4-8C0198A8D1B0 Fri, 1 Mar 2019 11:29:44 -0500 Almost one million University of Washington (UW) Medicine personal health information files were exposed for most of December 2018 due to a misconfigured database. The healthcare facility reported a website server was searchable on the internet from December 4-26 containing the data on 974,000 patients. The files did not contain specific medical records, patient financial information or Social Security numbers. https://www.scmagazine.com/home/security-news/data-breach/misconfigured-database-exposes-974000-university-of-washington-medicine-patients/ 5DD2B428-B7F2-4F60-A5B9-C2D65128CD72 Fri, 1 Mar 2019 11:26:29 -0500 Amherst College experienced a catastrophic technical mishap last week that left the campus without access to online services -- for five days. As IT staff scrambled to fix the problem, faculty and students suddenly found themselves without access to Wi-Fi, email, Moodle, accounting systems, card-scanning systems or any content hosted on the Amherst.edu website. That a scenario totally inconceivable on most modern campuses occurred at the wealthy private, liberal arts college in Amherst, Mass., was doubly surprising. https://www.insidehighered.com/news/2019/02/21/almost-week-no-internet-amherst-college?utm_source=Inside+Higher+Ed&utm_campaign=3904afdf65-DNU_2019_COPY_01&utm_medium=email&utm_term=0_1fcbc04421-3904afdf65-198624309&mc_cid=3904afdf65&mc_eid=c27b65b094 71E782B5-7CD3-452E-A231-182CDCCC4007 Thu, 21 Feb 2019 11:25:14 -0600 Before this week, Stanford students could view the Common Applications and high school transcripts of other students if they first requested to view their own admission documents under the Family Educational Rights and Privacy Act (FERPA). Accessible documents contained sensitive personal information including, for some students, Social Security numbers. Other obtainable data included students’ ethnicity, legacy status, home address, citizenship status, criminal status, standardized test scores, personal essays and whether they applied for financial aid. Official standardized test score reports were also accessible. Students’ documents were not searchable by name, but were instead made accessible by changing a numeric ID in a URL. https://www.stanforddaily.com/2019/02/14/data-breach-allowed-students-to-view-other-students-admission-files-sensitive-personal-data/ 4F4A20CC-95CE-4F3A-BDEF-183C7445120E Thu, 14 Feb 2019 13:16:44 -0600 Human error caused a massive leak of personal information of all active students in the Cal Poly Pomona College of Science. On Jan. 29, the campus community was notified via email of the leak. The incident occurred Jan. 28 when a university employee within the Computer Science Department intended to send an email containing advising information for 940 computer science students. Inadvertently, the employee also attached an Excel spreadsheet containing personal information of all 4,557 active students in the College of Science. https://thepolypost.com/news/2019/02/05/massive-data-leak/ 56BBD2F4-61CD-40ED-BE8E-917CF8A76407 Tue, 5 Feb 2019 11:12:58 -0600 More than 200 current and former students of Pellissippi State Community College could be in danger of identity theft because an unauthorized user had access to their personal information, the school revealed Monday. According to the college, an investigation showed that of 1,800 emails in the account that was accessed by an unauthorized user, 222 contained information such as first name, last name, Pellissippi State username, student identification number, date of birth, driver’s license number and/or partial or full Social Security number. https://www.thedailytimes.com/news/pellissippi-state-community-college-reveals-data-breach/article_e056f291-c168-5b45-a494-885b96e3b5f6.html B973ACFF-5C04-46AF-8B36-0970919D5A6F Mon, 4 Feb 2019 10:51:31 -0600 Some colleges, in an effort to sort through a growing number of applications, are quietly tracking prospective students’ online interaction with the schools and considering it in deciding whom to admit. Enrollment officers at schools including Seton Hall University, Quinnipiac University and Dickinson College know down to the second when prospective students opened an email from the school, how long they spent reading it and whether they clicked through to any links. Boston University knows if prospective students RSVP’d online to an event--and then didn’t show. https://www.wsj.com/articles/the-data-colleges-collect-on-applicants-11548507602 6B01DE41-BA07-4B37-9A94-8DB8F320B4AD Sat, 26 Jan 2019 09:38:28 -0600 The University of New Brunswick is telling faculty and staff to be on the alert after some email addresses were detected in a massive data dump published online earlier this month. The "Collection #1" breach includes millions of email addresses and passwords. It's believed to be an aggregate of data breaches from thousands of sources, collected over the years and posted to a cloud service last week. Erik Denis, senior cybersecurity officer at UNB, said only 40 per cent of the 4,500 UNB email addresses detected in the collection are active. https://www.cbc.ca/news/canada/new-brunswick/cyber-security-unb-collection-one-1.4993914 CC02A69B-E643-4243-A550-181B098E9EB0 Sun, 27 Jan 2019 12:56:27 -0600 Top U.S. universities are ditching telecom equipment made by Huawei Technologies and other Chinese companies to avoid losing federal funding under a new national security law backed by the Trump administration. U.S. officials allege Chinese telecom manufacturers are producing equipment that allows their government to spy on users abroad, including Western researchers working on leading-edge technologies. Beijing and the Chinese companies have repeatedly denied such claims. https://www.reuters.com/article/us-usa-china-security-universities-insig/u-s-universities-unplug-from-chinas-huawei-under-pressure-from-trump-idUSKCN1PI0GV 47300EB4-3D07-40A3-B2BD-FB01883B5A56 Thu, 24 Jan 2019 20:25:17 -0600 In a congratulatory email to wellness program participants, DePaul University inadvertently exposed private information for more than 650 employees. Rather than blind copying email recipients, the Dec. 14 communication displayed the names and email addresses of employees who successfully completed the university’s 2018 wellness program, DePaul spokeswoman Carol Hughes said in an email today. Through the optional wellness program, faculty and staff at the largest Catholic university in the country are eligible to earn financial incentives for taking part in healthy activities. https://www.chicagobusiness.com/health-care/depaul-data-breach-ids-hundreds-workers DED2C32C-E1EB-44E0-A710-8B54A91F4690 Tue, 8 Jan 2019 11:14:05 -0600 For a brief time, an unauthorized user remotely accessed an email account of an employee at University of Vermont Health Network, Elizabethtown Community Hospital that contained some personal information, including Social Security numbers. While no evidence has been found that individual information was viewed, ECH said in a news release, the hospital is notifying about 32,000 potentially affected people and providing information on steps they can take to protect themselves against potential fraud or identity theft. "The 1,200 individuals whose Social Security numbers were included in the email account will be offered free credit and identity theft monitoring services," the release said. https://poststar.com/news/local/hospital-network-releases-findings-of-data-breach-probe/article_0c62ac2e-6fb6-59c8-82ab-eb139c8112cd.html 03861BAA-D738-418D-B6BF-866485C8A0E8 Tue, 18 Dec 2018 09:42:12 -0600 Dozens of students were shocked to learn that they were suspended from SF State last week when an email appearing to be from California State University’s chancellor gave them the bad news. But when they clicked on a link in the email, the truth was revealed -- they had just been hacked. Another fake email claimed that students need to "re-validate" their email storage, and that their account was unable to receive new emails until they clicked the link. Information Technology Services claims 25 students clicked the link and had their account access revoked as a result. https://goldengatexpress.org/2018/12/12/dozens-of-student-accounts-hacked/ 8A8FE59D-C488-470D-BC86-A150A262A9D0 Wed, 12 Dec 2018 10:05:48 -0600 A Massachusetts community college is beefing up its cybersecurity after hackers stole $800,000 through an infected email. Cape Cod Community College President John Cox tells the Cape Cod Times the email appeared to come from another college and the person who clicked on it didn't have any suspicions at first. College IT officials ran a diagnostics test and found an infected virus. The virus was quarantined too late. Cox says the malware targeted the college's financial transactions and nine fraudulent transactions were made. https://www.necn.com/news/new-england/Hackers-800000-from-Massachusetts-College-502301821.html 99A8539B-3718-4CC9-B828-1F91F0FDB224 Sun, 9 Dec 2018 11:45:01 -0600 The College of Saint Rose is among the most recent targets of a series of lawsuits filed against colleges and other organizations related to their websites. The plaintiffs say the legal actions represent a growing movement to make online portals more accessible to the disabled -- in this case, the blind or visually impaired. Attorneys for the defendants categorize them as nuisance suits. New York City resident Jason Camacho is the listed plaintiff on 47 other suits, all filed in November, against colleges and schools nationwide. https://www.timesunion.com/news/article/Colleges-including-Saint-Rose-hit-with-mass-13442769.php F8722647-57E2-431F-96F6-83E7FF95224D Tue, 4 Dec 2018 12:01:45 -0600 The Pennsylvania Supreme Court has overturned lower court rulings and held that employees can pursue a negligence claim against two University of Pennsylvania medical centers in connection with a data breach. In 2014, employees of the University of Pittsburgh Medical Center and the University of Pennsylvania Medical Center McKeesport filed suit charging negligence and a breach of an implied contract claim in connection with a data breach. The employees said personal and financial information, including names, birth dates, Social Security numbers, addresses, tax forms and bank account information on all 62,000 University of Pennsylvania Medical Center employees and former employees, was accessed and stolen. They said this information was then used to file fraudulent tax returns on behalf of the victimized employees, resulting in actual damages. https://www.businessinsurance.com/article/20181126/NEWS06/912325286/University-of-Pennsylvania-medical-centers-must-face-employees-data-breach-suit 893AE45B-0B6C-48D0-BB10-E10FEE5222B2 Mon, 26 Nov 2018 10:46:10 -0600 When you go to the hospital, you probably just want to get better. You’re likely not thinking the private information you’re giving doctors may slip out. Recently, some of that information made its way out of UK Hospital to someone who never should have seen it. That’s how ABC 36 came across what should have been private medical records. A doctor sent two emails to a list of about 60 people. At least one of those people has never had any role at the hospital, but all of a sudden she had access to private medical information that could be yours or your neighbors’. Recently, a surgeon at UK Hospital sent ABC 36 news producer Morgan Henry two emails containing detailed information about patients at the hospital. She graduated from UK’s Journalism School more than a year ago, but her university email address still transfers messages to her personal account. https://www.wtvq.com/2018/11/25/abc-36-exclusive-private-health-information-leaked-uk-healthcare/ 1DF41AAA-DE92-4E29-8B6F-AE9A4ADFAD76 Sun, 25 Nov 2018 13:53:55 -0600 On September 12th, Upstate University Hospital discovered medical records for 1,216 patients were accessed by an employee for a non-work related reason. The vulnerable information includes names, ages, addresses, as well as medical care history. Luckily, social security, insurance and credit card numbers were not compromised in this case. The employee who wrongfully accessed the information is no longer working for Upstate. https://cnycentral.com/news/local/upstate-university-hospital-informs-1216-patients-of-privacy-breach D8FC0044-8BF7-4F4B-AA1A-3C2E12FC8B04 Tue, 13 Nov 2018 16:01:48 -0600 UCF warned today that a "sextortion" email scam is targeting university accounts, claiming to have video of users watching "adult sites" and demanding $900 if they don’t want that shared with all their contacts. The University of Central Florida’s Information Security office tweeted about the scam today, though it had warned about it back in August, too. The scam involves someone nicknamed "darknet" who claims to have hacked into the users computer, copying all their contacts and using a web-cam to record what videos they watched. https://www.orlandosentinel.com/features/education/school-zone/os-ne-ucf-email-scams-sextortion-20181025-story.html 29B26F8E-ECBA-4D0E-800E-CF47BF6A11B0 Thu, 25 Oct 2018 12:26:27 -0500 Two lawsuits have been filed in federal court against Yale University claiming damages from a 2008 data breach at the university. Yale discovered the breach on June 16 this year during a security review of its servers, it said in a letter to those affected. Intruders gained electronic access to a Yale database between April 2008 and January 2009 and extracted names, Social Security numbers, dates of birth, email addresses and, in some cases, physical addresses, the university said in its letter. A class-action lawsuit, filed in U.S. District Court on behalf of Andrew Mason of Virginia this week claims the university was negligent in its handling of student data. The suit also claims that Yale was reckless and acted with "willful misconduct" as it "turned a blind eye to" possibilities of a prior data breach and that the university used unfair trade practices. https://www.nhregister.com/news/article/Yale-University-sued-over-2008-data-breach-13315315.php 6AA78701-CE19-41A7-9607-750677155EED Wed, 17 Oct 2018 09:13:44 -0500 A mishap during routine server cleanup at the University of Rochester Medical Center several months ago has made it impossible for staff in the affected departments to open 2.6 million files. The files were on a server used by finance, research and operations to archive documents that had not been used for at least six months. No patient files were affected, URMC officials said. "Our electronic medical record system was not affected in any way, and no personal health information was lost," said B. Chip Partner, assistant vice president for communications for the medical center. During regular maintenance on the archival server, an IT worker cleared pointers, which serve as the map to get to and open a document. "He thought that these pointers were no longer needed and that he was clearing up the server," Bales said. "That was the mistake. He didn’t realize those pointers were indeed still needed." https://www.democratandchronicle.com/story/news/2018/10/17/server-mishap-urmc-affects-archived-data-files/1669497002/ 78FDF905-6B3D-4A02-95E5-279D743580B0 Wed, 17 Oct 2018 09:12:01 -0500 Malicious attackers have recently tried to gain access to students' financial aid refunds at multiple colleges in a scheme that involves sending fraudulent emails to students, according to a warning issued by the Education Department. The target is federal student aid refunds, money distributed to students after tuition and other education costs are paid. The attacks begin with a phishing email sent through a college’s password-protected website for students, department officials wrote. It is an email intended to fraudulently extract personal information. https://www.washingtonpost.com/education/2018/09/15/education-department-warns-that-students-financial-aid-are-being-targeted-phishing-attacks/?utm_term=.aaf7cc240fc9 02CFF2AE-366C-4813-9032-20C25A94719F Fri, 5 Oct 2018 11:29:15 -0500 A Ball State University residence hall director is facing multiple charges of possessing child pornography. Baden Robinson, 24, was arrested by Ball State University Police Department officers on Monday after an IT employee noticed unusual activity on the network account coming from his dorm and notified the police. "We employ several layers of information security designed to protect university systems and data against outside attack," the university said in a statement released Tuesday. "In this case, one of our defensive systems identified numerous attempted connections to a remote site, flagged as hosting potentially illegal content." https://www.theindychannel.com/news/local-news/delaware-county/ball-state-residence-hall-director-accused-of-viewing-child-porn-in-dorm-room 2DFA09BD-B5AB-4899-8A35-45D3DFE9504B Tue, 2 Oct 2018 11:48:21 -0500 Shiru Cafe looks like a regular coffee shop. Inside, machines whir, baristas dispense caffeine and customers hammer away on laptops. But all of the customers are students, and there's a reason for that. At Shiru Cafe, no college ID means no caffeine. Sarah Ferris, assistant manager at the Shiru Cafe branch in Providence, will turn away customers if they're not college students or faculty members. The cafe allows professors to pay, but students have something else the shop wants: their personal information. To get the free coffee, university students must give away their names, phone numbers, email addresses and majors, or in Brown's lingo, concentrations. Students also provide dates of birth and professional interests, entering all of the information in an online form. https://www.npr.org/sections/thesalt/2018/09/29/643386327/no-cash-needed-at-this-cafe-students-pay-the-tab-with-their-personal-data 89762E4C-6C92-4C0F-A2F8-23DDE3F959A9 Mon, 1 Oct 2018 10:50:30 -0500 A former philosophy professor at Bloomsburg University is headed to prison for having child pornography. Scott Lowe was sentenced Thursday to 11 and a half to 23 and a half months behind bars. He must register as a sex offender for 15 years and can have no contact with minors. In June, Lowe pleaded guilty to having child pornography on his work computer. According to arrest papers, during a routine check of campus computers in February, an employee noticed malware and traced it to Lowe's desktop in his office in Bakeless Hall, finding a pornographic image of a young girl. https://wnep.com/2018/09/27/former-bloomsburg-university-professor-sentenced-on-child-porn-charges/ D29713D3-CD64-4E82-A82D-2C856B68E789 Thu, 27 Sep 2018 00:00:00 -0500 The University of Louisville told its faculty and staff Tuesday that a third-party fitness vendor experienced a data breach that compromised hundreds of U of L employees and retirees. The vendor, Minneapolis-based Health Fitness Corp., informed U of L officials on Aug. 24 of a data breach at the company that affected "several institutions," according to an internal email sent to U of L staffers from U of L Chief Human Resources Officer John Elliott. The data for 247 U of L employees, retirees and others enrolled in a program called "Get Healthy Now" from 2007 to 2014 were affected. Health Fitness provides health assessments, health coaching through the Get Healthy Now program, and staffing at U of L's wellness facilities. https://www.bizjournals.com/louisville/news/2018/09/11/vendors-data-breach-affects-hundreds-of-u-of-l.html 824BEE56-388E-433D-8922-49163B3A407E Tue, 11 Sep 2018 20:55:45 -0500 The former student who hacked into the University of Iowa computer network to change grades was sentenced to four months in prison Thursday, according an Iowa Department of Justice release. The sentencing came after Trevor J. Graves, 23, pleaded guilty in April to unauthorized access and damage to the UI college computer network he carried out from May 2015 to November 15, 2016. During that time he admitted to knowingly and intentionally committing fraud as he obtained professors' usernames and passwords. Graves used the data to access the Iowa Courses Online computer network, where he deleted and changed his grades and those of five other students. https://www.press-citizen.com/story/news/2018/08/23/university-iowa-former-ui-student-sentenced-computer-fraud-case-change-grades-trevor-graves/1075564002/ 8C31B5D0-CA1E-4F21-8EDF-D602D7797E36 Thu, 23 Aug 2018 09:52:11 -0500 A breach of email accounts at Augusta University Health may have exposed sensitive health and personal information of about 417,000 people, including patients around Georgia, the university reported Thursday. Faculty members and "a small number" of students at Augusta University were also among those who may be affected, according to the university. Exposed information may have included patient names, addresses, diagnoses, medications, lab results, dates of birth, treatment information, medical record numbers, medical information, surgical information, dates of service and insurance information. https://www.ajc.com/news/state--regional/university-breach-risks-health-personal-information-417-000/nPuUSV8qqvQXTQjY0ML8wN/ 0AB635F4-1F37-4F1F-9FD7-19B927BA6BF6 Thu, 16 Aug 2018 12:36:48 -0500 Saint Louis University has announced that it will be placing Amazon Echo Dot devices, powered by Alexa for Business, in every student residence hall room or student apartment on campus. While other colleges, like Arizona State University, have put Echo Dots in student housing before, SLU says this is the first time a college will equip every student living space with an Amazon Alexa-enabled device. In regards to privacy concerns, SLU says that because it is using the Amazon Alexa for Business platform, every Echo Dot is managed by a central system that is not tied to any individual accounts. No personal information will be collected so all use is anonymous. https://www.theverge.com/2018/8/15/17693174/saint-louis-university-echo-dots-amazon-student-living-spaces A09A44E7-DC20-4252-92B3-885DED0BB80F Wed, 15 Aug 2018 08:41:00 -0500 A data breach happened at Yale University between April 2008 and January 2009. During that breach, intruders gained electronic access to the Yale database and took Social Security numbers, names, and dates of birth. The database that was accessed did not have any financial information. Yale discovered the breach on June 16, 2018 during a security review of the Yale servers. http://www.wfsb.com/story/38769422/social-security-numbers-stolen-in-yale-university-data-breach 06D54B8C-1CE9-4F7D-BDB7-E62D09352B69 Mon, 30 Jul 2018 09:31:25 -0500 Clark University in Massachusetts began notifying some students whose personal information, including Social Security Numbers, were in an employee’s email account that had been accessed. According to their notification dated July 20, the university’s investigation revealed that an unauthorized individual could have accessed the employee’s email account between March 19 and March 23rd. From the wording of the letter, it appears that one employee fell for a phishing attack. http://ago.vermont.gov/blog/2018/07/20/clark-university-security-incident-notice-to-consumers/ DC054419-DC7B-443B-8AEF-CC1B9F97D93E Fri, 20 Jul 2018 18:54:24 -0500 A total of 111,499 people were affected by a computer security breach at Algonquin College earlier this year, according to college officials. The announcement was made on Monday after a lengthy investigation into the data breach in order to determine exactly what kind of personal information hackers may have gained access to. Officials from the college said they did not believe that hackers gained access to financial information, Social Insurance Numbers, banking or credit card information, or personal health information. However, they said the data breach may have revealed birthdays and home addresses to those behind the attack. https://ottawacitizen.com/news/local-news/algonquin-college-says-more-than-111000-affected-by-data-breach 4E68CADA-3A1E-4130-81BB-E4F4589DF247 Mon, 16 Jul 2018 12:10:55 -0500 UPMC Cole has notified 790 patients treated at UPMC Cole that their personal information may have been inappropriately accessed. As a result of UPMC Cole’s internal investigation, it was determined that there were two phishing attacks (e-mails sent from an external source that look like they are from a trusted source attempting to obtain sensitive information and often contain links to a phony login page or fake website) on June 7 and June 14 that were discovered through staff reports of the receipt of the e-mails. The phishing attacks were isolated to e-mail accounts and no medical records systems were breached. http://www.wellsvilledaily.com/news/20180716/strongupmc-cole-notifies-patients-of-personal-data-breachstrong D2640219-80B5-4C20-B74F-9EA814345563 Mon, 16 Jul 2018 14:01:49 -0500 Personal information of 26,598 prospective Purdue students found its way to a parent of a possible student, Purdue spokesman Jim Bush said Thursday in a news release. The file with the personal information was mistakenly sent to a parent of prospective student on May 17. When the parent received the file, he or she immediately contacted Purdue and cooperated with the university to destroy the file without any further breaches, according to the news release. "The university filed a report with the state's attorney general office and is providing required notifications and offering credit monitoring for a period of one year," the release states. https://www.jconline.com/story/news/local/purdue/2018/07/12/purdue-data-breach-exposes-personal-info-26-k-prospective-students/780711002/ C7729BC1-F960-4F82-96A3-4C849357FDF5 Thu, 12 Jul 2018 09:57:14 -0500 Notre Dame de Namur University is notifying some financial aid applicants that their information may have been compromised when an employee fell prey to a phishing attack. In its notification letter (reproduced below), Henry Roth, the Chief Financial Officer and VP of Administration, writes that the university learned of the possible compromise on May 18. Investigation determined that the affected email account contained names, Social Security numbers, and other information provided with financial aid applications. The number of students affected was not disclosed in in the notification to the California Attorney General’s office. https://www.databreaches.net/notre-dame-de-namur-university-notifying-financial-aid-applicants-of-data-security-incident/ BB6C0C54-B57A-454F-9CD6-E1F0DACA9DA7 Mon, 2 Jul 2018 11:24:26 -0500 California has passed a digital privacy law granting consumers more control over and insight into the spread of their personal information online, creating one of the most significant regulations overseeing the data-collection practices of technology companies in the United States. The new law grants consumers the right to know what information companies are collecting about them, why they are collecting that data and with whom they are sharing it. It gives consumers the right to tell companies to delete their information as well as to not sell or share their data. Businesses must still give consumers who opt out the same quality of service. https://www.nytimes.com/2018/06/28/technology/california-online-privacy-law.html 1240395D-B742-4237-BC92-5EC10381C985 Thu, 28 Jun 2018 00:00:00 -0500 About 4,500 Arizona State University students received unexpected, erroneous charges on their university billing accounts last week. Students who received merit-based scholarships in the 2017-18 school year were accidentally billed for part or all of the scholarships. ASU’s computer system glitched, causing documentation of students’ merit-based scholarships to be removed, the university said. That, in turn, caused the accounts to show a balance due. https://www.azcentral.com/story/news/local/arizona-education/2018/06/25/asu-students-get-charged-scholarships-after-computer-error/731739002/ 1225E3B5-4591-447A-8B29-00E9CE56528C Mon, 25 Jun 2018 09:18:59 -0500 A Jeopardy! champion and former Adrian College professor who hacked college email accounts pleaded guilty to a felony this week. She admitted on Wednesday, June 13, to unauthorized access to a computer, program or network, punishable by a maximum of five years in prison and a large fine. Jass had taken advantage of a campus-wide password reset in the spring of 2017 to see messages sent to or received by President Jeffrey Docking and outgoing Vice President Agnes Caldwell, according to a Michigan State Police report. http://www.mlive.com/news/jackson/index.ssf/2018/06/past_jeopardy_champ_pleads_gui.html 12DE68AC-5045-46B1-9206-FD572BA07D44 Fri, 15 Jun 2018 11:27:03 -0500 The University of Vermont says it is taking steps to address a data breach reported this week. UVM officials said Thursday that the breach could lead to malicious use of university usernames and passwords, but say they do not believe any personal information was compromised. WCAX-TV reports the university is requiring everyone to change their passwords as a precaution due to the breach. https://www.usnews.com/news/best-states/vermont/articles/2018-05-25/university-of-vermont-reports-data-breach-investigation 2F59277B-8CEF-4896-BC20-922242E97848 Fri, 25 May 2018 11:41:58 -0500 University at Buffalo leaders, along with their security team, are investigating a data breach of external third-party accounts. They say it's affected more than 25-hundred accounts campus wide. About 18-hundred of those are student accounts. Officials say those whose logins were stolen may have visited a website not associated with the university. http://www.wivb.com/news/local-news/thousands-of-ub-logins-stolen-in-third-party-data-breach/1188486364 A24BA3C9-6892-4A10-A3B2-0766881C5A0A Mon, 21 May 2018 10:07:46 -0500 A lost flash drive containing the names and Social Security numbers of an undisclosed number of people associated with the University of Toledo prompted the university to send out letters alerting those affected by the "security incident." A UT faculty member lost an unencrypted flash drive containing personal information belonging to some students, faculty, staff, and external research coordinators, according to the letter. That information included names, addresses, and Social Security numbers, and possibly birth dates. http://www.toledoblade.com/Education/2018/05/18/UT-alerts-faculty-students-of-lost-flash-drive-containing-Social-Security-numbers.html 98B6C84A-2EFC-4FD4-965A-97EA6DFE16A1 Fri, 18 May 2018 10:06:14 -0500 A university student allegedly broke into a school office four times in order to steal passwords and change his grades. On his fourth-trip, he found much more to worry about than his school performance. Kaustubh M. Shroffa, biological sciences major, allegedly broke into the registrar's office in Savitz Hall in Glassboro between December of last year and Jan. 11 with two goals. First, he plugged a flash drive containing keylogger software into a computer. A keylogger records keystrokes made by computer users and was used to steal staff login credentials, prosecutors allege. http://www.nj.com/gloucester-county/index.ssf/2018/05/student_allegedly_broke_into_office_4_times_to_ste.html 11FA9724-7F2C-41C4-A93D-E4520E911C8B Thu, 17 May 2018 15:44:25 -0500 A clinic owned by the physicians organization of the University of Texas Health Science Center at Houston improperly sent out mass emails containing the email addresses of many of its patients. UT Physicians' Davis Clinic sent batches of emails, notification of a doctor leaving the clinic, to patients last week. There were 19 such emails, each of which made visible the email addresses of anywhere from 100 to 300 other people. https://www.chron.com/news/medical/article/Patient-email-addresses-improperly-shared-by-UT-12917516.php D4A55416-F9BC-49ED-A1C1-193EFBE5FA41 Wed, 16 May 2018 16:47:04 -0500 KIRO 7 has uncovered documents detailing the Kirkland Police Department's ongoing investigation into how a suspect, or ring of suspects, was able to hijack the school email account of Northwest University's chief financial officer. The hacking of CFO John Jordan's email account has the Kirkland college out nearly $60,000. According to detectives, the thieves secretly monitored Jordan's emails and, when a legitimate payment was due to a school vendor, the hackers re-routed the money. https://www.kiro7.com/news/local/email-account-of-northwest-universitys-cfo-hacked-school-out-nearly-60000/744040954 965A3C66-F9D1-4EAA-B7E1-099B4B861661 Sat, 5 May 2018 15:39:21 -0500 A hacking group upset with Georgia legislation that could criminalize what they do targeted Georgia Southern University and two Augusta restaurants in an ongoing campaign to draw attention to what it thinks will be the unintended consequences of that bill. A hacker who identified himself as Dave emailed a long list of what appeared to be Georgia Southern email addresses and passwords as well as a screenshot of what appears to be a student’s MyGeorgiaSouthern personal profile, which he said would allow them to change the student’s major or "pretty much anything else regarding their future." It also appears to allow the hackers to change a student’s schedule, change passwords or access financial aid information. The screenshot shows the current news and events listed Tuesday on the Georgia Southern site. However, a message sent to the student’s email came back as invalid. Georgia Southern said after investigating a partial list of emails and passwords provided to The Chronicle that its "accounts have not been compromised" and that "the information is not from our web site," spokeswoman Jennifer Wise said. http://www.augustachronicle.com/news/20180501/hackers-target-georgia-southern-augusta-restaurants A17EBBE4-3B86-4B49-85F7-8C1A79A7BF54 Tue, 1 May 2018 09:28:35 -0500 Boise State University received notice recently from Fresno State University that a theft on their campus may have potentially involved some personal information that originated at Boise State, according to BSU spokesman Greg Hahn. An external hard drive stolen sometime in the last week of December, 2017, from a facility at Fresno State included personal information for some Boise State football camp attendees from 2007, 2008 and 2011 and others connected to the Boise State Athletics Department around the same time. https://www.kivitv.com/news/bsu-football-camp-attendees-personal-information-stolen 8A37FC22-6E85-432F-8AB0-23B1A1EC132E Tue, 1 May 2018 14:19:33 -0500 Former Iowa wrestler Trevor Graves appeared in federal court in Davenport on Monday and pleaded guilty to transmission of a command to damage a protected computer. Graves was arrested in Denver in October 2017 and appeared in an Iowa court the next month. Graves obtained professors' usernames and passwords via a key logger and used the information to change grades for him and five other students. The charge means Graves faces up to 10 years in prison. http://daily-iowan.com/2018/04/17/former-university-of-iowa-wrestler-pleads-guilty-in-computer-fraud-charge/ 0434CC72-0A96-44B2-AB8E-40279CC811B3 Tue, 17 Apr 2018 00:00:00 -0500 After months of legal wrangling, Edmonton's MacEwan University has recovered nearly all of the $11.8 million lost to an online phishing scam. The university said it was able to recover $10.92 million before concluding legal proceedings. The university was defrauded last summer when staff failed to verify as legitimate emails requesting a change in banking information for one of its vendors. Three payments were made to a fraudulent account: one on Aug. 10 for $1.9 million; another on Aug. 17 for $22,000 and a third on Aug. 19 for $9.9 million. MacEwan University discovered the fraud after the legitimate vendor, a construction company, called to ask why it hadn't been paid. http://www.cbc.ca/news/canada/edmonton/macewan-university-recovers-most-of-11-8m-online-phishing-scam-1.4604729 65BC73BB-4BB5-40DC-83A1-A2261A0048BB Wed, 4 Apr 2018 15:00:12 -0500 On March 28th, Alabama Governor Kay Ivey (R) signed into law the Alabama Data Breach Notification Act, Act No. 2018-396, making Alabama the final state to enact a data breach notification law. South Dakota Governor Dennis Daugaard signed into a law a similar statute one-week prior. The Alabama law will take effect May 1, 2018. Being the last state to enact a breach notification law, Alabama had the benefit of examining the approach in just about all of the other states and apparently drew provisions from many other state laws, including relatively detailed requirements for covered entities (as defined within the statute) and their third-party service providers to maintain reasonable requirements to protect "sensitive personally identifying information." https://www.lexology.com/library/detail.aspx?g=6f523f84-e026-4399-b838-a0cdf4501d93 2AF803A6-13D3-487F-A968-BF2A8E514A94 Wed, 4 Apr 2018 14:17:41 -0500 Nine Iranians were charged Friday by the Justice Department in a wide-ranging scheme to hack and steal electronic data from universities, private corporations and U.S. government entities to benefit the government of Iran. The nine allegedly accessed the computer systems of U.S. universities through duplicitous electronic contacts, a scheme known as phishing. They targeted more than 100,000 professor email accounts at 144 American universities through the spearphishing campaign, the indictment said. The activity, which had allegedly been conducted since 2013, could cost universities $3.4 billion. https://www.cnbc.com/2018/03/23/us-indicts-iranian-nationals-in-iran-government-backed-scheme-on-us-universities.html 6688ABDC-7E61-48B1-A32B-C100DEA853EA Fri, 23 Mar 2018 13:22:02 -0500 A breach in privacy of some advance class registration lists has prompted the University to launch an investigation and to notify the students of the incident whose personal information was accessed during this incident. The class lists contained information on class enrollment and included students' name and the last four digits of their social security numbers, according to the email sent out this afternoon by Chief University Privacy Officer Scott Schafer. The email indicates that advance class registration lists for this past spring semester were downloaded by an unauthorized user, who accessed the lists through a "course registration application." That server has since been taken offline. http://www.thedp.com/article/2018/03/privacy-breach-student-information-upenn-penn-philadelphia-class-lists-registration D1F35093-CEE9-4781-B225-A9FC62C1A6DD Tue, 13 Mar 2018 13:28:43 -0500 A data security breach resulted in the disclosure of the names and Social Security numbers of Columbia employees and their family members on IRIS, the college’s internal website. The college learned Feb. 15 that SharePoint, the search portal application used to apply for the Tuition Exchange Program, a college employee benefit, displayed the personal information, according to a March 2 email sent out to those affected by Senior Vice President of Business Affairs and CFO Jerry Tarrer. http://www.columbiachronicle.com/campus/article_3f80dad8-23f2-11e8-97da-23e5f572b8f3.html 4C125C1E-BBF0-46A3-BA15-469978712E44 Mon, 12 Mar 2018 15:47:07 -0500 The theft of an external hard drive at Fresno State could expose the personal data of at least 15,000 people. The hard drive was reported missing Jan. 12 and Fresno State officials said some of the files may have contained personal information, including names, addresses, phone numbers, birth dates, credit card numbers, driver's license numbers and full or last four digits of Social Security numbers. Officials said the data could affect former student athletes, sports-camp attendees and Athletic Corporation employees. The vast majority of data files were from 2003 to 2014. http://www.govtech.com/security/Stolen-University-Hard-Drive-Potentially-Exposes-Thousands-of-Records.html 324EE783-61FB-4EFE-BF82-D549D2710C16 Tue, 6 Mar 2018 17:07:50 -0600 On Jan. 25, 50 students and 35 faculty and staff members within the Department of Health Services received an email with a spreadsheet that contained personally identifiable information (PII) of more than 9,000 people. Amy Hagopian, associate professor in Health Services at the UW, unintentionally sent the email containing the spreadsheet to students in the Community Oriented Public Health Practices (COPHP) program. It contained data from graduate student applications to the Department of Health Services in the School of Public Health over a seventeen-year period, from 2000 to 2017. http://www.dailyuw.com/news/article_e0a77a86-201c-11e8-8a8e-d76f00d0261e.html 7D147F18-F574-4846-A5E6-F069236254F8 Mon, 5 Mar 2018 13:42:37 -0600 St. Louis Community College said it is investigating a possible breach of student information. The school says an email attachment containing personally identifiable information for 362 students was sent to a small number of other students. The attachment has names, email, ID numbers and home addresses of the 362 students. The school says it did not contain Social Security numbers or dates of birth. http://www.kmov.com/story/37628377/st-louis-community-college-investigating-possible-student-data-breach 0BE4FFDE-0C2B-4DF6-B2F3-C170A984FEB0 Thu, 1 Mar 2018 12:04:25 -0600 On Monday, Feb. 26, the University of North Georgia’s Office of University Relations emailed all students regarding improper access of Banner information in January. The email cautioned students that a former student employee inappropriately accessed information protected by FERPA (Family Educational Rights and Privacy Act), though it said there is no evidence the data has been misused. The improper access was discovered during routine system maintenance performed by the Office of Information Technology. The information accessed was primarily directory-level data, specifically name, ID number, gender, major, concentration, dorm or commuter status, class, address, phone number, adviser name, email and campus. http://ungvanguard.org/2018/02/in-banner-security-breach-former-employee-accessed-protected-student-data/ 20613D64-E9E3-400A-B295-4D800DFE9D96 Thu, 1 Mar 2018 15:09:36 -0600 Remember when universities used Social Security numbers as student IDs? Well, if you contact alumni, make sure you are no longer using their SSN as their IDs. The University of Wisconsin-Superior Alumni Association is notifying an unspecified number of their alumni after they discovered that using old student IDs was a current risk. On February l, 2018, UW-Superior Alumni Association sent its alumni a Mississippi River Cruise brochure sponsored by the UW-Superior Alumni Association. In the process of preparing the mailing data, an ID number was sent to UW-Superior Alumni Association’s travel vendor and appeared above each individual’s name and address on the brochure. On February 5, 2018, UW-Superior Alumni Association was made aware that the ID number for its alumni who graduated during a certain time period may have been the same as the student ID number (social security number) used while in attendance at UW-Superior. https://www.databreaches.net/university-of-wisconsin-superior-alumni-association-notifies-alumni-after-unintentional-exposure-of-ssn/ 4677DDDA-0016-4ABB-85A1-EBA1FBD2CD50 Tue, 27 Feb 2018 16:38:09 -0600 A data breach at the University of Alaska has affected dozens of current and former employees and students according to university officials, who say action is being taken on the matter. A total of 50 people’s accounts have been affected by the breach. "The hackers had access to personal information through social media and other sources, which allowed them to answer security questions in the UA self-service password reset tool," UA officials wrote. "Since these users had chosen to not provide any custom security questions, the hackers were able to use the tool to change passwords." http://www.ktva.com/story/37569951/ua-data-breach-appears-to-target-tax-info 4B8C7271-DBF7-412F-A0F1-195E296E15D8 Thu, 22 Feb 2018 14:18:00 -0600 University end users are pretty good at identifying a scam. The State of the Phish 2018 report found that users in education were less likely to click on a phishing attempt than those in technology, entertainment, hospitality, government, consumer goods, retail and telecommunications. Several industries, including transportation, energy and finance, fared better than education, proving that higher education institutions still have work to do. https://edtechmagazine.com/higher/article/2018/02/higher-ed-users-are-less-susceptible-phishing-scams 7950739E-AE0D-4797-B8F4-7B92582E5ED8 Wed, 21 Feb 2018 13:37:16 -0600 he University of Virginia Health System is notifying patients of a cyberattack that gave a hacker access to over 1,800 medical records. The FBI discovered that a physician's devices with the UVA Health System were infected with malware, which allowed the hacker to see what the employee was viewing. "It was malicious software -- malware - that this operator created and was actually able to infiltrate the devices of those individuals who were victims of his crime," said Regina Verde with the UVA Health System. http://www.nbc29.com/story/37555891/uva-health-system-notifies-1882-patients-about-potential-privacy-issue 33C64F60-F627-47F8-B750-65EA5F838832 Wed, 21 Feb 2018 17:32:09 -0600 A University of Georgia student is facing 80 felony counts for allegedly hacking into a professor’s computer to change his grades. Michael Lamon Williams, 21, was booked into the Clarke County Jail Wednesday on nine counts of computer trespass and 71 counts of computer forgery. Williams, a student of UGA’s Terry College of Business, was working for Enterprise Information Technology Services when he "abused his privileges as an employee and changed grades to benefit himself," said Greg Trevor, UGA’s executive director for media communications. http://www.onlineathens.com/news/20180209/uga-student-accused-of-hacking-account-to-change-grades 2B0C0361-FB2E-499A-BAD9-ADDCB9C1997B Mon, 12 Feb 2018 07:57:03 -0600 According to Mississippi State University officials, one former student is the target of a search warrant in an investigation into university record tampering. MSU Chief Communications Officer Sid Salter told Logan Kirkland of the Starkville Daily News that the student graduated in December. The identity of the suspect and the nature of the records were not immediately disclosed, but Salter said the tampering "has an institutional impact" that could affect both students and faculty.No charges have been filed yet, but could come in days or weeks, Salter told the Daily News. There is still a "significant amount" of evidence to be sorted out by law enforcement. https://www.clarionledger.com/story/news/local/2018/02/11/official-msu-records-tampering-has-institutional-impact/327459002/ A95F33C8-48CB-438D-B3EC-CCB9DDC7D0EC Sun, 11 Feb 2018 14:00:27 -0600 The private information of 12 University of Northern Colorado employees was compromised last week after an "unknown person or group" accessed their profiles on Ursa, UNC's online portal, according to a release from the university.Whoever is responsible for the breach logged in to the employees' Ursa accounts, then used the employees' social security numbers to reset their passwords and access their accounts, UNC spokesman Nate Haas said. From there, the perpetrator downloaded the employees' electronic W2 forms. UNC officials believe the employees' social security numbers were acquired outside the university. http://www.govtech.com/security/Cybersecurity-Breach-at-University-of-Northern-Colorado-Exposes-12-Employees-Personal-Information.html 1211EA39-FF7E-44A1-A920-4899F02E548A Tue, 6 Feb 2018 18:16:37 -0600 A Columbia University grad student was arrested for leaving key logger malware on USB sticks left throughout the campus. Bill Liang Lin Wu, 23 was arrested Thursday after he was caught on camera leaving the credential stealing devices on a host of university computers shared by 14 professors. Wu graduated last spring but despite having a diploma, authorities say he returned to his alma mater on Jan. 19, when he allegedly started using the key loggers. https://www.scmagazine.com/columbia-university-grad-busted-for-hacking-school-computers/article/742124/ 62702CF9-7CF6-4D80-B4CC-6349E53EBBAF Mon, 5 Feb 2018 18:18:07 -0600 Information security tops the list of critical IT issues for the third consecutive year, according to a report from EDUCAUSE, the higher education technology association. According to IT specialists, the finding points to a major blind spot in higher education. "While colleges and universities continue to invest in information security, we security practitioners have failed to clearly define a strategy for cybersecurity, and thus our leadership feels unmoored in response to the public drama of large-scale data breaches," said Michael Corn, chief information security officer at the University of California, San Diego. http://edscoop.com/it-higher-ed-experts-point-to-security-breaches-as-inevitable-educause-report DAFCEF07-1354-4496-9F15-8497B5846AE1 Fri, 2 Feb 2018 21:22:26 -0600 The University of Baltimore has added protections to personal student data that officials had left unsecured possibly for years, according to a state audit released this month. The information on 117,793 students was kept in text form in a database that contained names, addresses, dates of birth and Social Security numbers. The lapse was discovered during a routine audit by the Department of Legislative Services’ Office of Legislative Audits. http://www.baltimoresun.com/news/maryland/education/bs-md-student-data-exposed-20180126-story.html 40E0B891-5624-451E-8943-678EE1D0C463 Fri, 26 Jan 2018 12:06:01 -0600 An Arizona man was sentenced to six months in prison on Wednesday after he pleaded guilty to hacking into over 1,000 email accounts at Pace University in New York in an attempt to download sexually explicit photos and videos. Jonathan Powell was arrested in November 2016. Prosecutors said at the time that Powell used password reset tools to change the passwords for more than 1,000 accounts at two universities, in New York and Pennsylvania. They said he tried to do the same at 75 other institutions. https://www.reuters.com/article/us-usa-cyber-universities/arizona-man-gets-six-months-in-prison-for-hacking-university-email-accounts-idUSKBN1FD37O F3467E15-3FBE-44D7-8F45-2A44AA671A2E Wed, 24 Jan 2018 12:19:10 -0600 Stephanie Jass, a "Jeopardy!" champion and former Adrian College professor, took advantage of a campus-wide password reset to access the email accounts of President Jeffrey Docking, and outgoing Vice President Agnes Caldwell, according to a Michigan State Police report. As a result, Jass had a document "that consisted of notes and comments and 'problems'" regarding faculty members, a fellow professor told a detective. http://www.mlive.com/news/jackson/index.ssf/2018/01/jeopardy_champ_hacked_accounts.html ABA6B08A-CA93-4C9A-B047-2CC0EBD50475 Mon, 22 Jan 2018 07:32:44 -0600 The University of Central Florida has agreed to spend an additional $1 million annually to protect students' and employees' personal information, according to a legal settlement reached with former students in the wake of a hacking that exposed 63,000 Social Security numbers. UCF agreed to add three information security positions, designate a full-time internal senior information security auditor and tighten access to personal information, as part of the settlement filed in Orange Circuit Court late last year. http://www.orlandosentinel.com/features/education/school-zone/os-ucf-hack-suit-20180111-story.html D6D99B82-8799-4E05-BCF7-04578EFE18DA Thu, 18 Jan 2018 14:10:44 -0600 Another laptop was apparently stolen from an employee’s car. This one was from the education sector, but it contained some student health information and health insurance information. The incident was reported by Montana State University Billings to the Montana Attorney General’s Office on January 5, and letters are going out today to affected students. The number of students potentially affected was not indicated in the notification letter. https://www.databreaches.net/montana-state-university-billings-notifying-students-after-laptop-was-stolen-in-november/ DD52412E-873F-4574-80DF-9C4D28E50B8A Fri, 12 Jan 2018 11:30:45 -0600 A November data breach at the Oklahoma State University Center for Health Sciences may have provided a third party with Medicaid patient information, according to OSU officials. Patient names, Medicaid numbers, health care provider names, dates of service and limited treatment information might have been included in the breach, which was discovered Nov. 7, according to OSU-CHS. After learning that a third party gained access to folders on a server that stored Medicaid patient billing information, officials removed the folders and terminated the access. They also shut down the affected server, according to the release. http://www.tulsaworld.com/homepagelatest/data-breach-at-osu-center-for-health-sciences-may-have/article_419bc1d4-4ec9-5cda-a921-385ed3e0d30a.html DBDB4565-F357-430C-93AC-D2303E6BBF2E Fri, 5 Jan 2018 08:57:01 -0600 About 1,000 patients at Penn Medicine are receiving letters saying a computer with some of their personal information on it was stolen. A laptop containing patient files was reported stolen from a car at the King of Prussia Mall parking lot on Nov. 30, according to a spokesperson at the University of Pennsylvania Health System. So far, there is no indication the computer has been turned on or the patient information accessed, they stated. http://www.philly.com/philly/health/penn-medicine-patient-information-stolen-identity-theft-hipaa-20180102.html A6EE29C2-16C7-4161-B8F8-E7245D1AD649 Tue, 2 Jan 2018 08:11:00 -0600 LSU is mailing letters to approximately 5,500 individuals whose information may have been contained on a university-owned laptop that was recently stolen from an LSU employee. The laptop may have contained individuals’ full names, dates of birth, Social Security numbers and/or driver’s license numbers. The laptop may also have contained the names and credit card information for a very small number of individuals. https://www.ktbs.com/news/lsu-issues-notifications-regarding-stolen-laptop/article_22377450-e1e9-11e7-858b-8f41eb0785cd.html DBEEC686-7F16-4078-AD90-1125254AE33D Fri, 15 Dec 2017 09:33:58 -0600 Who knew that getting a great deal on snowflake socks or yoga mats could put your organization at risk? It’s that time of year when the shopping frenzy is upon us. The holidays put everyone at a heightened risk for online scams, scareware, and phishing attempts. Your employees could be the perfect targets for cyber criminals to use phishing scams to infiltrate your company with malware or worse. Up to 95 percent of all attacks on enterprise networks are the result of successful spear phishing, according to a study by SANS. http://complianceandethics.org/tis-season-cyber-criminals-infiltrate-companies-phishing-scams/ 68EDC2F2-9836-4E6B-93C4-22BB76B45568 Thu, 14 Dec 2017 15:06:53 -0600 A team of three researchers from the University of California, San Diego (UCSD) has created a tool that can detect when user-registration-based websites suffer a data breach. In a live test, researchers said they registered accounts at over 2,300 sites. At the end of the study's period, scientists said that attackers accessed email accounts for 19 of these sites, including one with a userbase of over 45 million. https://www.bleepingcomputer.com/news/security/data-breach-at-website-with-45-million-users-discovered-during-academic-research/ AB7C390A-08FA-466A-87CC-482F0A66CA24 Thu, 14 Dec 2017 15:04:19 -0600 A 21-year-old Fanwood man, a former Rutgers University undergraduate student, is facing prison after admitting to launching a cyber attack on the university's computer network that effectively shut down its server, impacting communication by staff, faculty and students. Paras Jha pleaded guilty to violating the Computer Fraud & Abuse Act on Wednesday before U.S. District Court Judge Michael Shipp, according to Acting U.S. Attorney William E. Fitzpatrict of the District of New Jersey. http://www.mycentraljersey.com/story/news/crime/2017/12/13/fanwood-man-pleads-guilty-rutgers-university-cyber-attack/948951001/ 77E09826-37C7-4562-9591-5B14238D0720 Wed, 13 Dec 2017 00:00:00 -0600 UNC Health Care is notifying 24,000 patients about a potential security breach at a UNC dermatology practice in Burlington. UNC said Friday that personal patient information was contained on a hard drive of a computer that was stolen from UNC Dermatology & Skin Cancer Center in October. The computer's hard drive is password-protected and contains information pertaining to patients seen by the practice through September 2015, when it was acquired by UNC Health Care. The computer’s patient database contains patient names, addresses, phone numbers, employment status, employer names, birth dates and Social Security numbers. http://www.newsobserver.com/news/business/article188757969.html 0173C7C8-0038-4E91-A3B9-E85EC9D7208F Fri, 8 Dec 2017 00:00:00 -0600 Clarion University was notified of an email compromise that occurred because of a criminal phishing scam that compromised two email accounts in the registrar's office. The unauthorized individual or individuals had access to the accounts between October 7 and October 10. ''Clarion University is committed to data integrity and privacy protection,'' said Communication Manager Tina Horner. ''The email compromise potentially exposed Social Security and/or driver's license numbers belonging to 408 students. Following discovery of the incident, Clarion University immediately initiated an investigation and suspended the email accounts that were compromised.'' http://www.exploreclarion.com/2017/12/07/clarion-university-email-compromised-investigation-underway/ 5AA12BB5-39DE-43C5-8214-482FA6DA38CD Thu, 7 Dec 2017 00:00:00 -0600 The chief digital officer of Stanford’s Graduate School of Business has resigned after the university failed to disclose a data breach of personal information. According to the SF Gate, Ranga Jayaraman, who had worked at Stanford for six years, e-mailed colleagues Saturday morning to announce his resignation. ''I take full responsibility for the failure to recognize the scope and nature of the ... data exposure and report it in a timely manner to the dean and the University Information Security and Privacy Office,'' said Jayaraman. ''I would like to express my most sincere apologies ... to anyone whose personal information might potentially have been compromised.'' https://www.nbcbayarea.com/news/local/Major-Data-Breach-Leads-Stanford-Executive-to-Resign-462419083.html D06FAD02-EF64-41D0-9658-A40E0320F460 Wed, 6 Dec 2017 00:00:00 -0600 A series of cybersecurity vulnerabilities at Stanford University exposed thousands of sensitive files containing details of sexual assault investigations, disciplinary actions and more. The details of what happened - and why it should be an object lesson for higher education. https://www.pbwt.com/data-security-law-blog/inside-the-stanford-breach-sexual-assault-disciplinary-and-financial-data-exposed/ F6B90D25-EBBF-41D6-9D86-CCCD9D0B5B1B Mon, 4 Dec 2017 00:00:00 -0600 An attack on a single IV infusion pump or digital smart pen can be leveraged to a widespread breach that exposes patient records, according to a Spirent SecurityLabs researcher."Perpetuators can use this patient information to file false insurance claims as well as to buy medical equipment and drugs using a fake ID. These products are then easily sold on the black market," Harit says. "What makes medical data more lucrative than the financial data is the low and slow detection rate of the fraud itself. While a credit card fraud can be detected and blocked in a matter of minutes these days, medical data fraud can go undetected for months, if not more." https://www.darkreading.com/mobile/hacked-iv-pumps-and-digital-smart-pens-can-lead-to-data-breaches/d/d-id/1330536 32EF1FD6-DD3E-425D-8C7C-20AAB0CE9080 Mon, 4 Dec 2017 11:38:51 -0600 Patients of the UAB Viral Hepatitis Clinic may have had their protected health information exposed during a Oct. 25 data breach, UAB Medicine released late Thursday morning. The 652 patients affected were notified of the incident by letter, the university hospital said. Patients first and last names, birth date, gender, diagnosis, date and time of the examination, numbers and images associated with test results, and -- in some cases -- the name of the referring physician may have been exposed. According to UAB Medicine, the breach involved the loss of two USB memory sticks (jump drives) used to transfer electronic information to a computer from a Fibroscan machine used to evaluate liver disease. http://www.al.com/news/birmingham/index.ssf/2017/11/patients_at_1_uab_medicine_cli.html 5545D258-4DAC-43C4-AD79-C5B720823991 Thu, 30 Nov 2017 00:00:00 -0600 Stanford Business School officials are admitting that for years they have given steep price breaks to preferred applicants while claiming the scholarships were only for needy students -- and say they will close a glitch that allowed public access to thousands of confidential student financial aid records. A student discovered in February that the files were accessible to all business school students and employees, and informed the school about the vulnerability. He also downloaded the information and spent months studying financial aid data from 2008 to 2015. The result was a 378-page statistical analysis that revealed the difference between the school’s claim of fairly awarded scholarships and what it had actually been doing. http://www.sfchronicle.com/education/article/Stanford-University-data-glitch-exposes-truth-12396695.php C248BDBC-F38D-4364-A1E2-B142779B3C8B Thu, 30 Nov 2017 00:00:00 -0600 After a year marked by devastating cyber attacks and breaches, online attackers are expected to become even more destructive in 2018, security researchers said Wednesday. A report by the security firm McAfee said the ransomware outbreaks of 2017 offer just a taste of what's to come as hackers develop new strategies and "business models." McAfee researchers said that as ransomware profitability fades in the face of new defenses, hackers will turn to new kinds of attacks that could involve damage or disruption of computers and networks. Attackers will also look to target wealthy individuals and aim at connected devices which offer less security than computers and smartphones. https://phys.org/news/2017-11-hackers-nastier.html 5FD45409-03DA-4A37-8543-2E378108F79F Wed, 29 Nov 2017 00:00:00 -0600 University of Chicago hospital patient information was potentially vulnerable to hackers due to weaknesses in the University’s network, a Maroon investigation revealed. Experts suspect that vulnerabilities like these are likely to be found at many hospitals, universities, and institutions around the world. The weeks-long investigation, encompassing a manual review of tens of thousands of lines of network scan logs, interviews with sources who have explored the University’s network, and conversations with multiple cybersecurity experts, found that networked printers accessible by anyone on the University network were being used to print what seemed to be sensitive health documents, like organ donation logs, surgery face sheets, prescriptions, and even medical records, some of which may have been protected by federal privacy law. Researchers have shown that documents printed on printers like these are vulnerable to being remotely stolen by hackers relatively easily. https://www.chicagomaroon.com/article/2017/11/28/university-chicago-hospital-patient-information-vulnerable/ FAD7E588-59CE-403E-BD82-D6ECF593725C Tue, 28 Nov 2017 08:07:58 -0600 Stanford is in the process of notifying some 200 people -- a mix of employees and former students -- that their privacy may have been breached due to incorrect settings in one of the University’s file-sharing systems. Until this week, files including sexual violence records based on counseling sessions, confidential University statistics and emails to the Office of Judicial Affairs -- some with names and email addresses attached -- were left broadly available on an internet server that students, faculty and staff from over 50 institutions regularly use. Any Stanford faculty, student or staff member with a SUNet ID was able to access the sensitive files; The Daily also found that an MIT student username and password were able to grant access https://www.stanforddaily.com/2017/11/17/privacy-breaches-in-university-file-system-affect-200-people/ D3B48DC8-87F4-4C1B-9421-C446D9065F94 Fri, 17 Nov 2017 09:19:49 -0600 The Bucks County District Attorney's office said Aleisha Morosco tried multiple times to change her microbiology grade. After several failed attempts, she enlisted a friend's help, orchestrating a security breach at Bucks County Community College. Authorities said while working at a medical office affiliated with Penn Medicine, Kelly Marryott accessed a faculty member's personal information and leaked it to her friend, Aleisha Morosco. Desperate to change her grade, Morosco then used the stolen data to gain unauthorized access to BCCC's computer system. Officials said while inside the system, Morosco changed not just her grade, but several other student's grades in her microbiology class. http://6abc.com/women-allegedly-hack-college-computer-system-to-change-grades/2659397/ 17D01A03-EC0A-4D3D-B987-0BD32313A18E Fri, 17 Nov 2017 08:57:36 -0600 A recent report by the Identity Theft Resource Center shows that data breaches in the United States are occurring at a record pace this year, and that hacking, from phishing attacks, ransomware and malware, has caused nearly two-thirds of the breaches. Overall, the ITRC reports that by early August, 10 percent of the breaches in 2017 have occurred in education, resulting in more than 1 million records getting compromised. None of us want to be on that list. Colleges and universities face new threats every day, so it’s important for IT departments to be proactive and continually work to enhance security. Here are some best practices to protect university data. https://k12.cioreview.com/cioviewpoint/7-tips-and-tools-to-protect-university-campuses-from-cyber-attacks-nid-25214-cid-143.html 2C560FFA-7B53-40DB-A0FD-189989126553 Mon, 13 Nov 2017 09:46:01 -0600 After caught sharing answers to course assignments in a messaging app called GroupMe last spring, 83 undergraduate students enrolled in a principles of marketing course were charged with violations of the student code of conduct, calling into question the ethics behind using technology to collaborate with classmates. The Fisher College of Business students were reported by their professor in April, according to a statement from Ohio State spokesman Ben Johnson. ''The charges include unauthorized collaboration on graded assignments, which is prohibited under the Code of Student Conduct,'' the statement reads. https://www.thelantern.com/2017/11/use-of-groupme-app-leads-to-code-of-conduct-violations/ 288BF4D0-951A-4927-BA08-D38349BAE6AB Mon, 6 Nov 2017 00:00:00 -0600 A hacker is trying to extort a Canadian university, threatening to dump student information unless university top brass pay 30,000 CAD (23,000 USD). The extortion attempt's victim is the University of Fraser Valley (UFV), a Canadian university. A hacker or hacker group breached the university's network from where it gathered information such as names, email addresses, phone numbers, physical addresses, grades information, some instances, limited financial details, and possibly more. UFV shut down its email system until November 6, in an attempt to prevent the proliferation of other emails containing data of other students. https://www.bleepingcomputer.com/news/security/hacker-holds-university-for-ransom-threatens-to-dump-student-info/ 5957C2F1-4596-4177-92C2-479474D79F0C Thu, 2 Nov 2017 00:00:00 -0500 A former University of Iowa wrestler has been arrested on federal computer-hacking charges in a high-tech cheating scheme in which he allegedly obtained advanced copies of tests and changed grades for himself and classmates. Trevor Graves, 22, carried out the scheme by secretly installing devices known as keyloggers in computers in university classrooms and labs that allowed him to record what his professors typed, including their credentials to log into university grading and email systems, according to the FBI. http://www.press-citizen.com/story/news/education/university-of-iowa/2017/10/27/high-tech-cheating-scheme-prompts-charges-university-iowa/808335001/ E76F60C6-45AB-434A-A006-BFD2AE5ABBAC Fri, 27 Oct 2017 00:00:00 -0500 Facial recognition is becoming increasingly common in China, where it has been installed at ATM machines and KFC restaurants. Now the technology has arrived in university classrooms to track student attendance. Shen Hao, a professor with Communication University of China, is using facial recognition in his six courses to keep track of the attendance of more than 300 students. http://www.chinadaily.com.cn/china/2017-10/25/content_33688879.htm C21EE4E2-842D-46E8-BB10-46C01A3C0DA9 Wed, 25 Oct 2017 00:00:00 -0500 A number of Omaha parents are now upset about a recent data breach at Creighton University. An email was sent as a reminder for the upcoming ACT tests and sent to students and parents but accidentally contained student's first name, last name, social security numbers, grades, email address, phone numbers and date of birth. http://www.crossroadstoday.com/story/36683166/student-information-leaked-from-creighton-university-trio-program 233B27CF-2FBC-4975-8307-B6357CDFD6E1 Wed, 25 Oct 2017 00:00:00 -0500 A recent hack of University of Kansas professors' personal information has faculty worried that an easily accessible hacking tool could have students tampering with private data on campuses everywhere. The KU hacker was an engineering student who used a keystroke logger to pry into professors' computers and change all his failing grades to A's. http://www.kansascity.com/news/local/article178522396.html 96A6FA4F-F3E9-4253-90C3-290FC3DDA132 Mon, 16 Oct 2017 22:25:59 -0500 Over the past 10 years, we have reported on countless retailers, credit bureaus, insurance companies and other businesses hit by hackers, with millions of customer data records breached. The IT security pros at Logicalis pose the question "What could be worse?" Well, there's a simple two-word answer, they say: Higher Education. The key problem for colleges and universities is that they collect very private and diverse kinds of data -- with everything from medical information to financial and credit card data -- and not just about students, but also their parents, and even emergency contacts. There are also applications, transcripts, disciplinary records, and other private information. http://www.sci-tech-today.com/news/Cybercrime-Targeting-Higher-Ed/story.xhtml?story_id=030003CM6DRC F767D10A-DF4A-408E-9540-803D86E92AE7 Wed, 11 Oct 2017 00:00:00 -0500 The University of Regina is investigating the possibility that one or more students hacked into its computers in order to adjust grades. Officials are ''investigating irregularities in the grades of four classes in the Faculty of Engineering,'' Kim McKechney, associate VP of external relations, wrote in an email. He said the adjustment of grades appears to have happened sometime this summer. He said it was discovered in late August and the university took immediate action. 'http://www.cbc.ca/news/canada/saskatchewan/university-regina-investigates-grade-irregularities-engineering-1.4342257 58557E19-4224-462B-A991-3D7BF2D01C0F Fri, 6 Oct 2017 00:00:00 -0500 Thousands of students at Cabrillo college received a notice of a data breach yesterday. On September 5, 2017, Cabrillo learned that an unauthorized person gained access to one of its servers. The school immediately disabled the server, began an investigation, and determined that the server contained a database that maintained student orientation information. The student orientation information included the students’ names, dates of birth, email addresses, user names, and passwords used to access the orientation database, and in some instances Social Security numbers. http://www.kion546.com/news/cabrillo-college-issues-notice-of-data-breach-to-28000-students/632786868 4189D216-AE34-4352-BF12-DDC25937A4EB Fri, 6 Oct 2017 00:00:00 -0500 The personal information of 1,581 students at North Carolina A&T State University was leaked following a ''data security incident.'' It happened on Tuesday when a faculty member within the College of Business and Economics accidentally emailed a file containing personal information to a group of students. ''I was shocked as well because you know especially with a big school like this, that's something they should specialize in as far as protecting our identities from fraud. So, I was shocked and I was little bit scared myself,'' said one of the students impacted. http://myfox8.com/2017/09/28/some-nc-at-students-personal-information-leaked-in-security-incident/ 65E2F4C0-B8EF-4AD1-BF72-AD732B34D092 Sat, 30 Sep 2017 00:00:00 -0500 Your website remains your most influential marketing resource. Students and parents scored websites ahead of financial calculators, school emails and print materials for parents. Your site needs to be easy for smartphone users to navigate because 95 percent of high school seniors and their parents use mobile devices for their web browsing. Moreover, 74 percent of seniors and 60 percent of juniors have completed a college online form on their phone. So make sure it's easy - 29 percent of seniors have submitted applications via phones. https://www.universitybusiness.com/article/deep-dive-digital-habits FE8FDB39-A32D-4BE0-8339-5EBE38313CA0 Mon, 25 Sep 2017 08:29:39 -0500 As a result of the Equifax breach, Northwestern is prepared to provide identity protection and credit monitoring services at no cost for all faculty and staff. https://news.northwestern.edu/stories/2017/september/university-actions-regarding-equifax-data-breach/ 622C58B0-1890-42B5-9661-B3B102EDEDAF Mon, 11 Sep 2017 00:00:00 -0500 Penn Student Disability Services accidentally sent out an email on Sept. 6 revealing the email addresses of 299 students who receive accommodations from SDS. A Nursing senior who receives accommodations from SDS said the email, which was sent to 11:30 a.m., was just a ''routine back-to-school email'' that failed to Blind Carbon Copy its recipients, exposing the emails of students on the SDS email list. http://www.thedp.com/article/2017/09/student-disability-services-accidentally-revealed-the-emails-of-299-accommodated-students 9C4CF558-2D00-428F-9A24-08C7F316A24B Sun, 10 Sep 2017 00:00:00 -0500 Former Ithaca College student Paul Fasy has been arrested and charged with computer tampering in the fourth degree for allegedly hacking the Department of Theatre Arts' Instagram page and changing the profile picture to a Confederate flag during the Spring 2017 semester. The theater department’s Instagram page was hacked March 26. In addition to changing the profile picture, the hacker deleted two years’ worth of content. https://theithacan.org/news/former-ithaca-college-student-charged-in-theater-department-hack/ BED78E3D-7F86-41B6-8BD8-16FF8F3A693B Wed, 23 Aug 2017 08:48:25 -0500 The University of Cincinnati's online services, including UC Mail, Catalyst, and any other UC related webpage, went down at approximately 10:15 Monday morning, disrupting the first day of classes for students and professors alike. The disruption was caused by a data center emergency shutdown, which was the result of the fire suppression system responding to smoke in the data center cooling system the next morning, according to a campus-wide email from Nelson C. Vincent, Vice President and Chief Information Officer of IT. http://www.newsrecord.org/news/uc-servers-crash-on-first-day-of-classes/article_8c80250c-87a6-11e7-b894-1fb17161b1b6.html FE7EC6CF-D3EC-44E5-8475-3802A94CEE23 Tue, 22 Aug 2017 07:55:59 -0500 A cyberattack on a UCLA administration server potentially breached the personal information of about 32,000 students earlier this week, UCLA officials said. On Monday, UCLA reported an alleged May 18 cyberattack on a Summer Sessions and International Education Office server. The server contained the personal information of thousands of students, according to an Information Security Office bulletin. http://dailybruin.com/2017/08/04/cyberattack-on-ucla-server-potentially-breaches-student-information/ 5DF1D695-2DCE-4914-B752-0AE56106815F Fri, 4 Aug 2017 08:53:44 -0500 Information on about 2,300 patients at the University of Vermont Medical Center was accessible to hackers after two employees fell victim to a phishing scam in late May and early June, the hospital said. No patients’ Social Security numbers or financial records were exposed, the hospital said in a statement Friday. But the compromised accounts contained "messages with patients’ information, which may have included names, addresses, medical record numbers and clinical information, such as diagnosis, treatment, and medications." https://vtdigger.org/2017/07/25/email-scam-exposes-patient-records-uvm-medical-center/ 6D8EC856-4A51-4C0A-A974-89015ABF32AE Tue, 25 Jul 2017 13:10:42 -0500 The University of Mississippi Medical Center has agreed to pay a $2,750,000 fine levied by the Department of Health and Human Services Office for Civil Rights to settle several violations of the Health Insurance Portability and Accountability Act. The breach goes back to March 21, 2013, when UMMC’s privacy officer discovered a password-protected laptop was missing from UMMC’s Medical Intensive Care Unit and notified OCR. http://www.healthcareitnews.com/news/university-mississippi-medical-center-pay-275-million-hipaa-breach-settlement 0046CCD6-6F15-4EC2-828A-3E5540E0C822 Tue, 25 Jul 2017 13:04:00 -0500 Brigham Young University is warning several hundred present and former students about a data breach that may have compromised students' personal information. The data breach originally occurred on June 10 when a server at BYU was accessed by an unauthorized source. At the time of the breach it appeared that no personal information was compromised, but upon further review investigators found that the server accessed contained a file with the personal information of 800 former and current students. http://www.heraldextra.com/news/local/central/provo/small-data-breach-at-byu-put-student-information-at-risk/article_6f8e62b6-15fa-5a78-b808-e5cad9ba6dc3.html 144AD3F0-9A7F-4942-8E39-35EB3E785AD6 Thu, 20 Jul 2017 13:09:09 -0500 University of Iowa Health Care has notified 5,300 patients that a "limited set of data containing protected health information" was posted online for two years. Back in May 2015, the private health information -- including patient names, dates of admission, and medical record numbers -- was inadvertently saved in unencrypted files and posted online through an application development site that others could see, according to UIHC. http://www.thegazette.com/subject/news/education/higher-education/university-of-iowa-health-care-warns-thousands-of-patient-data-breach-20170711 9BAFC26A-2D56-482E-ADCE-0029BEF885BE Tue, 11 Jul 2017 08:09:42 -0500 UC Davis Health is notifying approximately 15,000 patients of a security breach after an employee fell prey to an email phishing scam. Despite the breach, the company says there is no indication that any personal or medical information was taken. As a precaution, UC Davis Health says it’s providing credit and identity protection to people whose information was stored in the system. http://sacramento.cbslocal.com/2017/07/06/email-phishing-scam-leads-to-uc-davis-health-data-breach/ 4A456250-7262-4DC2-8E45-8C0114175E19 Thu, 6 Jul 2017 13:17:59 -0500 It’s no secret that college and university networks have long been prone to cyberattacks of various kinds. Whether the incidents involve malicious attempts to bring down a school’s network, phishing attacks or using the network as the unsuspecting host for dormant malware that can be activated remotely, the open access nature of higher ed networks makes them particularly susceptible. https://www.universitybusiness.com/article/report-shows-extent-campus-cyber-attack-activities DEBBAEB7-B97D-47EE-950F-7674687D6CC8 Tue, 27 Jun 2017 09:35:32 -0500 When thieves broke into an Olympia storage locker in April and hauled away an 85-pound locked safe, they set in motion a series of events that forced Washington State University to send letters to 1 million people advising them their data might have been compromised. The safe contained a computer hard drive -- a backup containing personal information, including Social Security numbers, that was stored off-site by WSU’s Social & Economic Sciences Research Center. http://www.seattletimes.com/seattle-news/education/did-you-get-letter-wsu-sends-warning-to-1-million-people-after-hard-drive-with-personal-info-is-stolen/ 15D796F9-56F1-4150-B443-D67F456DB126 Thu, 22 Jun 2017 08:01:23 -0500 OU unintentionally exposed thousands of students’ educational records -- including social security numbers, financial aid information and grades in records dating to at least 2002 -- through lax privacy settings in a campus file-sharing network, violating federal law. The university scrambled to safeguard the files late Tuesday after learning The Daily had discovered the breach last week. The Daily spoke to vice president for admissions and records Matt Hamilton Tuesday afternoon, when he said OU IT was aware of the breach and was working to secure the files. http://www.oudaily.com/news/ou-shuts-down-file-sharing-service-after-failing-to-protect/article_4f9a5e2c-50a2-11e7-a807-2f591e6c54f0.html F3644A96-BE81-40AC-9761-B45C85173827 Tue, 13 Jun 2017 08:43:57 -0500 Washington State University is offering identification theft services after a safe containing personal information was stolen. The locked safe contained a hard drive with back-up files from the school's Social & Economic Sciences Research Center that included names, Social Security numbers and personal health information for survey respondents. http://www.bizjournals.com/seattle/news/2017/06/12/washington-state-university-data-breach.html B8191F95-859A-4B3A-94F4-63D547583206 Mon, 12 Jun 2017 11:32:15 -0500 Approximately 25,000 students, staff, and faculty members associated with the University of Alaska were affected following a successful phishing scam and subsequent data breach late last year. The University of Alaska sent out letters to those people who had their names and accompanying social security numbers exposed to "an individual or individuals unknown to [the university]" due to an email scam. http://www.ktuu.com/content/news/University-of-Alaska-thousands-affected-by-data-breach-including-social-security-information-425538543.html A25DFB4D-6E32-4BFC-894C-74274CADE0F2 Thu, 1 Jun 2017 09:34:52 -0500 Augusta University says a phishing attack hit faculty email accounts containing the health information of patients. A spokesperson for A-U confirms less than one percent of patients are impacted by the security breach. Officials say an unauthorized third party broke into the medical faculty email accounts. The breach happened between September 7th and September 9th of last year. In addition to patients’ full names, the e-mail accounts may have contained any of the following patient information: home address, date of birth, Social Security number, financial account information, medical record number, insurance information. http://www.wfxg.com/story/35533360/investigation-into-phishing-attack-at-augusta-university 001F9330-6CD4-42E3-9E17-920E54F250E4 Sat, 27 May 2017 08:06:17 -0500 UW Health says that 2,036 patients had information compromised after an employee's email account was used by an unauthorized user. UW Health says they learned on March 28, 2017 that a breach of information happened on March 16, 2017. Officials say an unauthorized individual got access to an employee's credentials and email account. In the review, UW Health found some of the emails compromised contained patient information which may have included patients’ names; addresses; dates of birth; dates of service; providers’ names; reason for visit; medical history and conditions, medications; diagnostic results and/or social history. http://www.wbay.com/content/news/UW-Health-information-on-2036-patients-compromised-424454484.html AB385BA6-4236-4D5E-998E-A8090E144D02 Thu, 25 May 2017 09:52:21 -0500 Mark Zuckerberg is giving the commencement address at Harvard on Thursday after famously dropping out 12 years ago to create Facebook. And in an ironic turn of events, Harvard's student newspaper, The Harvard Crimson, was hacked on the same day to show fake stories trolling Zuckerberg. Many of the fake stories were quickly taken down, and the Crimson confirmed to Business Insider that it had in fact been hacked. http://www.businessinsider.com/harvard-student-newspaper-crimson-hacked-mark-zuckerberg-2017-5 FA93E73A-92A1-4536-B72B-EC3663843C50 Thu, 25 May 2017 08:39:37 -0500 UW-Madison officials had to wrestle back control over their Twitter account Wednesday morning after a hacker posted a series of bizarre and profane tweets to the university's 160,000 followers. Someone accessed the @UWMadison account and tweeted four times between 6:31 and 6:36 a.m., posting a YouTube link and a message that appeared to credit another Twitter user for the hack. Twitter has suspended that user's account. There were few details Wednesday of who took over the account or how the hack was carried out. http://host.madison.com/wsj/news/local/education/university/uw-madison-s-main-twitter-account-hacked/article_4377390e-a6cb-5388-87fe-525d22dca776.html 218D614C-99A7-47BB-833C-082D5DA514E9 Wed, 17 May 2017 15:41:58 -0500 College information security officers returned to work on Monday with their fingers crossed. Universities in the U.S. dodged the initial wave of a massive cyberattack that, among other disruptions, paralyzed hospitals in Britain, shut down telecommunications services in Spain and brought a temporary halt to Renault’s production line in France. Brazosport College in Lake Jackson, Tex., was one of the few institutions in the U.S. that reported cases of the WannaCry attack Friday. The public college, which has about 4,300 students, discovered a total of two computers infected with the malware, said Ron Parker, director of information technology. Both computers were wiped clean, he said. https://www.insidehighered.com/news/2017/05/16/us-colleges-dodge-first-wave-ransomware-attack-wannacry?utm_source=Inside+Higher+Ed&utm_campaign=b4746e8cc7-DNU20170516&utm_medium=email&utm_term=0_1fcbc04421-b4746e8cc7-198624309&mc_cid=b4746e8cc7&mc_eid=c27b65b094 7A06E354-C4BB-42B4-ACD7-34AC80A85FB7 Tue, 16 May 2017 13:39:18 -0500 In early December 2016, Adam was doing what he’s always doing, somewhere between hobby and profession: looking for things that are on the internet that shouldn’t be. That week, he came across a server inside New York University’s famed Institute for Mathematics and Advanced Supercomputing, headed by the brilliant Chudnovsky brothers, David and Gregory. The server appeared to be an internet-connected backup drive. But instead of being filled with family photos and spreadsheets, this drive held confidential information on an advanced code-breaking machine that had never before been described in public. https://theintercept.com/2017/05/11/nyu-accidentally-exposed-military-code-breaking-computer-project-to-entire-internet/ 1320C0C0-8C8B-4610-A9CA-EDE2B570FD78 Thu, 11 May 2017 16:04:28 -0500 A hard drive containing the personal information of 2,200 LSU Health New Orleans patients was stolen in March, and while police quickly made an arrest, the hard drive has not been recovered, the LSU Healthcare Network said Friday. The network said the theft occurred in the Department of Neurology Research on or around March 6. Law enforcement was notified immediately, and a suspect was arrested March 7. The hard drive contained patient lists for research studies done between 1998 and 2009, including names, dates of birth, and diagnosis and treatment codes. http://www.theadvocate.com/new_orleans/news/crime_police/article_1b8f24da-31d2-11e7-89e8-0791b7585b05.html 94411318-D761-4885-B5F4-CACA94629ECA Fri, 5 May 2017 09:04:44 -0500 The details of a recent data breach affecting 100,000 taxpayers were revealed in testimony before the House of Representatives Oversight and Government Reform Committee in Washington on Wednesday. The data breach involved the IRS’s data-retrieval tool that is used to complete the online Free Application for Federal Student Aid (FAFSA). Before it was shut down in March, the data-retrieval tool allowed students and parents to access their adjusted gross income (AGI) information through an interface with the IRS and to complete the FAFSA by transferring the AGI information directly onto their FAFSA form. http://www.journalofaccountancy.com/news/2017/may/irs-data-breach-fafsa-tool-201716597.html B694FC1A-6A5B-42AF-AC4A-9DA6DE5DCF64 Wed, 3 May 2017 08:05:19 -0500 A late-January data breach at Westminster College in Fulton did not affect student academic records or financial aid information, college officials confirmed on Saturday. The breach of employee information was discovered March 26, according to a statement from Lana Poole, vice president and chief communications officer at Westminster. Poole said the breach was the result of a phishing scam and was reported to law enforcement authorities. http://www.columbiatribune.com/news/education/westminster-college-reports-employee-data-breach/article_a3508d34-af9e-5078-b4dd-91475ccf4f6a.html A6EDF214-1097-44CE-9E36-698820FF381D Sun, 16 Apr 2017 11:23:49 -0500 Tax information for dozens of University of Louisville employees has been compromised after a hack of the online system the university uses to give employees access to tax documents. John Karman, university director of media relations, said Friday the university confirmed that 83 employees' W-2 forms were downloaded or accessed without authorization from the university or the employees. U of L uses W-2 Express, a product of Equifax Inc. (NYSE: EFX), to provide employees access to W-2 forms and other tax documents. This system was hacked, but it isn't clear where the hack happened. http://www.bizjournals.com/louisville/news/2017/04/07/u-of-l-tax-information-of-some-employees-hacked.html 3ABBD62F-1838-4BE9-8813-D8863B681639 Fri, 7 Apr 2017 08:46:42 -0500 Stolen email addresses and passwords from the largest US universities are offered for sale on the Dark Web at anywhere from $3.50 to $10 apiece. But that's only a snapshot of a lucrative underground market for pilfered -- and even spoofed and phony -- student, faculty, staff, and alumni email credentials, according to new research published today by the nonprofit Digital Citizens Alliance (DCA) that searched the Dark Web for credentials from the top 300 US universities. http://www.darkreading.com/threat-intelligence/millions-of-stolen-us-university-email-credentials-for-sale-on-the-dark-web--/d/d-id/1328511?_mc=NL_DR_EDT_DR_daily_20170330&cid=NL_DR_EDT_DR_daily_20170330&elqTrackId=03d02dfa646a4fd79725e3b68edb9fb0&elq=86e77866036f458a8396980d1f516738&elqaid=77603&elqat=1&elqCampaignId=26102 CC51B346-40D6-497A-9195-F7151395AC62 Wed, 29 Mar 2017 13:07:20 -0500 A third party may have gained unauthorized access to patient information -- including names, birth dates and social security numbers -- after a phishing attack at Washington University's medical school. A post on the Washington University School of Medicine website said an employee fell for a phishing email designed to look like an official request for information. After learning of the incident, the school secured emails and began an investigation. http://www.ksdk.com/news/local/wash-u-med-school-hit-by-phishing-attack-patient-info-may-have-been-accessed2/426022895 37E65AAF-03C9-4DDF-B148-E05844A6329D Mon, 27 Mar 2017 13:01:58 -0500 Daytona State College students who applied for financial aid might find themselves in a financial mess. The school said a data breach involving financial aid forms means thieves could have personal information needed to steal students' identities. It marks the second security breach involving the school. It said the breach involved federal financial aid records, and students' parents may also be at risk. Students said the school sent out this letter over the weekend saying it uncovered a data breach involving students who applied for the free application for federal student aid, or FAFSA. http://www.wftv.com/news/local/data-breach-may-put-daytona-state-college-students-personal-info-at-risk/506505427 139DDC62-8898-45B2-8022-065A77CE506F Mon, 27 Mar 2017 07:53:04 -0500 Coastal Carolina University was scammed out of approximately $1.1 million and is working with multiple law enforcement agencies to investigate the phishing scams that happened in December, according to a news release. Two similar incidents happened around Dec. 9 when an individual claiming to represent a company under contract with the university contacted CCU via email to request a change in the company’s bank account information, CCU said. http://www.thestate.com/news/state/south-carolina/article140219633.html F8B34E78-03D8-42A1-9F88-9E8361A89A22 Wed, 22 Mar 2017 08:15:25 -0500 The Twitterverse is waking up to a major hack today. A strange tweet beginning with a swastika and containing hashtags saying "Nazi Germany" and "Nazi Holland" made the rounds early Wednesday morning. The tweet was sent thousands of times from numerous high-profile accounts of brands, businesses, and public figures, including Worcester State University and Polar Seltzer. http://www.bostonglobe.com/business/2017/03/15/possible-twitter-hack-hits-accounts-local-and-worldwide/5KaBMS4IF7OEOQwNUooZaN/story.html EFC7F73E-CD2E-42AA-A9E6-7DCE2A597CB5 Wed, 15 Mar 2017 07:59:26 -0500 A data breach at Daytona State College could have exposed the personal information of hundreds of state employees, the school said. School officials said it's possible that both current and former employees could be affected by the breach, but they didn’t specify how many people were impacted. The breach involved employees’ 2016 W-2 forms, the college said. Officials said they launched an investigation Feb. 19 after they were notified about the incident. It's unclear how the breach happened. http://www.wftv.com/news/local/officials-data-breach-hits-daytona-state-college-staff/500813036 4DF3EB15-F8D1-4CB4-B6FC-AE5555ABEAF7 Wed, 8 Mar 2017 08:05:22 -0600 The FBI is investigating an alleged hack of Kennesaw State University server. Channel 2 Investigative Reporter Aaron Diamant reports the state voter data kept by the Center for Election Systems was compromised. Sources tell Diamant the hack happened Wednesday night and voter data maintained there was compromised. The Georgia Secretary of State uses the Center for Election Systems at Kennesaw State to facilitate elections in all Georgia counties and maintain voting machines. http://www.wsbtv.com/news/local/breaking-fbi-investigating-hack-of-ksu-server/499353979 0F95745F-5C5A-485E-BE36-8ABF512F5ABB Fri, 3 Mar 2017 13:47:35 -0600 On January 13, 2017, two unencrypted laptops were stolen from the home of a University of California, Santa Cruz (UC Santa Cruz) researcher/instructor. UC Santa Cruz narrative evaluations dating from 2000 to 2004 contained personally identifiable information including names and Social Security Numbers (SSN) (which were used as the Student ID number prior to 2005). In addition to SSN, student record information including grades, narrative evaluations and email addresses were on the stolen laptops. https://www.databreaches.net/laptops-stolen-from-uc-santa-cruz-instructors-home-contained-students-information/ A762D3EB-F28F-49E9-9BA3-002AD9A71FDB Fri, 3 Mar 2017 10:51:17 -0600 Vanderbilt University Medical Center will be sending letters to more than 3,000 patients whose personal information was inappropriately accessed by a pair of patient transporters. An audit of electronic patient files conducted by the VUMC Privacy Office found that two people who worked as patient transporters looked at 3,247 medical records between May 2015 and December 2016, according to a release from VUMC. The employees accessed information from adult and pediatric records, including names, birth dates, and medical record identification numbers. In a few instances one person had the ability to see social security numbers. http://www.tennessean.com/story/money/industries/health-care/2017/02/24/vumc-patient-transporters-accessed-patient-medical-records/98366166/ 4F7BCD3A-B8AD-460A-BC39-E992ACCD22C0 Fri, 24 Feb 2017 08:02:23 -0600 More than 1.4 million emails--some divulging Harvard students’ grades, financial aid information, and at least one individual's Social Security number--sent over Harvard Computer Society email lists were open to the public until Monday. Teaching fellows, resident tutors, College administrators, and thousands of undergraduates have used the email list service--which the student group made private Monday--for years. Emails sent over HCS lists contained the membership of certain BGLTQ undergraduate groups, bank account numbers for some student organizations, advance copies of a final exam, and answer keys to problem sets. At times, teaching fellows used the lists to discuss students’ grades--a move some legal experts say may violate the Family Educational Rights and Privacy Act, a federal law designed to protect students’ privacy. https://www.thecrimson.com/article/2017/2/21/hcs-emails-public/ 4B3E8A87-A249-46DD-ABE6-F6F6F2176CB0 Mon, 20 Feb 2017 11:24:20 -0600 Rasputin, a Russian-speaking and notorious financially-motivated cyber criminal, continues to locate and exploit vulnerable web applications via a proprietary SQL injection (SQLi) tool. Rasputin’s latest victims include over 60 (combined total) prominent universities and federal, state, and local U.S. government agencies. In November 2016, Rasputin penetrated the U.S. Election Assistance Commission (EAC) via SQLi. 15 plus years of SQLi attacks, and going strong; this prolific vulnerability remains one of the most popular exploits for opportunistic actors due to its ongoing success rate. https://www.recordedfuture.com/recent-rasputin-activity/ B02D8667-20C1-4323-86AD-B3B875AA4BF8 Wed, 15 Feb 2017 09:44:28 -0600 It sounds like a sci-fi movie. Over 5,000 connected devices, including light bulbs and vending machines, were hacked to slow internet service at a university to a crawl. Poorly secured internet of things (IoT) devices have become gold mines for hackers looking to launch DDoS attacks to take websites and services offline. But this latest case, detailed in Verizon's Data Breach Digest 2017, is the rare example of gadgets attacking their own network. http://mashable.com/2017/02/13/internet-of-things-university-network-/#12gmce6oqOqY D0FFF404-3B6E-4BCD-9012-21D85A110616 Mon, 13 Feb 2017 08:02:30 -0600 A wave of nationwide phishing scams is targeting college students, according to reports from Louisiana State University, University of Wisconsin-Platteville, Amherst College, Wellesley College, Dartmouth College and more. At Dartmouth College, several thousand students received emails that appeared to be from President Phil Hanlon. The messages included links to websites with malware. Recipients were advised not to click on the links. http://www.wtae.com/article/college-students-are-the-latest-targets-of-aggressive-phishing-scams/8730682 941A29CE-95EE-4921-820B-BA5950F91375 Sat, 11 Feb 2017 09:12:12 -0600 A 41-year-old Chicago man pleaded guilty Monday in federal court to using personal information obtained by hacking into Bradley University's computers to obtain about $770,000 in false tax refunds. Gbadebo Adebiyi pleaded guilty to one count of conspiracy to commit mail fraud, a felony that could send him to prison for up to five years. His sentencing is set for May 3 in the courtroom of Senior U.S. District Judge Joe B. McDade. A second man, Idris Akande, 35, also of Chicago, remains a fugitive. http://www.pjstar.com/news/20170206/bradley-university-data-breach-led-to-770000-in-bogus-tax-returns 1DCEE185-1122-4056-85D7-02885ADFC6C7 Wed, 8 Feb 2017 08:10:11 -0600 Tuesday night, at least three racist emails were sent out to University of Michigan Computer Science and Engineering undergraduate students. The subjects of the first two emails was "African American Student Diversity" and the third read "Jewish Student Diversity." The emails were sent by three separate University uniqnames -- all of which are administrators of the listservs, potentially indicative the listservs via the University’s online contact server, MCommunity, may have been hacked. https://www.michigandaily.com/section/crime/racist-emails-sent-university-engineering-computer-science-students 6F259234-62B4-496F-98A3-29E1D6F29E1E Tue, 7 Feb 2017 07:59:23 -0600 As the challenge of keeping personal information out of the hands of cybercriminals becomes more complicated, the Penn State Privacy Office is encouraging students, faculty and staff members to follow best practices for storing and sharing online data in recognition of Data Privacy Day on Jan. 28. Hackers have varying motivations, and for some, stealing and selling personally identifiable information (PII) -- which includes any data that can be used to distinguish or trace a person’s identity -- has become big business, according to Holly Swires, privacy officer and interim deputy chief information security officer at Penn State. http://news.psu.edu/story/447401/2017/01/25/penn-staters-encouraged-protect-personal-information-data-privacy-day 0518A9DF-9CB4-4F81-BCCF-A55D7CB32961 Wed, 25 Jan 2017 08:28:24 -0600 Give us your money, or your files get it. Imagine turning on your computer only to be greeted by that message. The computer has been infected with ransomware, a type of malware that locks users out of their data and threatens to make it unusable -- either by deleting or encrypting it -- unless the college that has been hacked agrees to pay a ransom. The clock is ticking. Do you pay up? Los Angeles Valley College did. https://www.insidehighered.com/news/2017/01/24/experts-warn-ethical-implications-paying-ransom-unlock-hacked-files?utm_source=Inside+Higher+Ed&utm_campaign=536bf1c61e-DNU20170124&utm_medium=email&utm_term=0_1fcbc04421-536bf1c61e-198624309&goal=0_1fcbc04421-536bf1c61e-198624309&mc_cid=536bf1c61e&mc_eid=c27b65b094 3512D4C6-037F-4E96-B899-EA530598C489 Tue, 24 Jan 2017 08:29:24 -0600 A malware infection is to blame for a security breach that could put the personal information of up to 4,611 clients of the Ohio State Veterinary Medical Center at Dublin in jeopardy. Clients were alerted of the possible threat that could put their bank account information, credit card numbers, driver’s license and their social security numbers at risk, but OSU spokesman Ben Johnson said in a statement that there is "no current evidence that confidential information was viewed or removed from the server." http://thelantern.com/2017/01/ohio-state-veterinary-medical-center-at-dublin-hit-with-possible-data-breach/ 52050EFC-C3C9-4F22-B8FE-C35B470B92C4 Fri, 20 Jan 2017 08:27:29 -0600 The University of Iowa is investigating a "handful" of possible cases of cheating -- and warning the entire campus community to change their HawkID passwords -- after a faculty member discovered a student’s grade had been changed without authorization. The suspects obtained the account information by secretly attaching physical devices to university computers in classrooms and computer labs. "The investigation shows someone attached unauthorized devices to university instructional computers to capture instructor IDs and passwords," according to UI spokeswoman Anne Bassett. "A few students appear to have then used the passwords to change their grades in select courses." http://www.thegazette.com/subject/news/education/higher-education/university-of-iowa-suspect-cheating-behind-hawkid-security-breach-20170119 5CC367B1-8056-4622-92CB-A9B69495CC2A Thu, 19 Jan 2017 15:45:42 -0600 Students and parents are raising concerns after pro-Nazi fliers appeared on printers around UC Berkeley campus that also championed the day that Donald Trump is sworn in as president. In an email on Tuesday, UC Berkeley spokesman Roqua Montez said there is no credible threat at this time, and a UC Berkeley police sergeant said detectives are following up on the issue. How many fliers were found and on how many printers has not been revealed. He added that the university does not consider this a case of hacking and there is "no actual crime being committed," as the sender is "exploiting open source printers and fax machines that are being legally access via the Internet." http://www.nbcbayarea.com/news/local/Swastikas-Pro-Trump-Fliers-Found-on-UC-Berkeley-Printers-411081265.html 780877C7-4473-4B6E-93F2-EEE1D5994228 Wed, 18 Jan 2017 08:10:21 -0600 Printers at Vanderbilt University started inexplicably printing anti-Semitic fliers on Monday in an incident that officials said could be linked to a round of hacking that targeted printers at several universities last year. University police are investigating the incident, which occurred "in a handful of offices on campus," according to an email from university spokeswoman Princine Lewis. The university also notified federal authorities. http://www.tennessean.com/story/news/education/2017/01/17/vanderbilt-printers-churned-out-anti-semitic-fliers-after-suspected-hack/96677604/ CB9D8054-154E-43FF-8897-B9AB924661B7 Tue, 17 Jan 2017 16:35:10 -0600 Indianapolis-based American College of Education fired its information technology employee last year, according to court documents, but not before an administrative password was changed. The online college then asked the man to unlock the Google account that stored email and course material for 2,000 students, according to a lawsuit filed by the college. The man said he'd be willing to help -- if the college paid him $200,000. Welcome to the new frontier of tech concerns in a business world that has come to depend on the cloud. http://www.indystar.com/story/news/2017/01/17/after-his-firing-employee-unlock-data-200000/96487962/ 6DDD798E-DFEB-418B-8D57-82307B86957F Tue, 17 Jan 2017 13:07:00 -0600 The Los Angeles Community College District paid nearly $30,000 to regain access to computer systems seized by a ransomware infection that was discovered as students showed up for the first day of classes, educators said this week. Roughly 1,800 teachers and staff of Los Angeles Valley College found themselves unable to access campus computers Tuesday, the start of the semester, due to being targeted by what District Chancellor Francisco Rodriguez described as "malicious cyber activity," Los Angeles Daily News reported this weekend. http://www.washingtontimes.com/news/2017/jan/7/hackers-extort-28k-ransom-los-angeles-college/ 8C2BFE22-14FA-421B-B378-1AF7496DE892 Sat, 7 Jan 2017 08:36:31 -0600 It is estimated that today there are over 1 million InfoSec positions unfilled -- growing to over 1.5 million by 2019 -- and more than 200,000 of those vacancies are in the U.S. This global shortage of expertise and experience lies at the very heart of the InfoSec world’s ability to respond to cyber attacks -- affecting vendors and consumers alike. http://www.informationsecuritybuzz.com/articles/infosec-skills-shortage-no-1-threat-internet-security/ 7A428302-1D45-4AC2-ADE0-219AC54CDBAE Sat, 17 Dec 2016 08:40:38 -0600 A database within the University of Wisconsin-Madison Law School that contained Social Security numbers and name pairs corresponding with 1,213 Law School applicants for 2005-'06 was hacked last month, the university announced Tuesday. The university removed from the server the records that were likely accessed by the cyber attacker and reported the incident to law enforcement for further investigation. The breach also was reported to three national credit reporting agencies, the news release said. http://www.jsonline.com/story/news/education/2016/12/06/uw-law-school-data-breach-disclosed/95050542/ 677ACFFF-BD60-49A9-9222-9B2743962313 Tue, 6 Dec 2016 08:18:42 -0600 Whoever hacked into a Michigan State University database earlier this month "found the Holy Grail," according to one security expert. Names and MSU identification numbers were exposed along with social security numbers, which are extremely valuable to criminals. Between providing identity protection and enhancing its security systems, MSU estimates that it will spend $3 million in response to the attack. The potential for identity theft underscores why institutions like MSU shouldn’t hold onto these records for more than a couple years after someone leaves, Stephens added. http://www.lansingstatejournal.com/story/news/local/2016/11/30/msu-estimates-spending-3-million-responding-data-breach/94541962/ 382904C5-1052-42AF-AA06-DFCA9623B9F1 Wed, 30 Nov 2016 08:50:41 -0600 An email sent to Michigan State University last weekend attempting to "extort money" helped the university identify a data breach that affected about 400,000 records and included names, Social Security numbers and MSU identification numbers, a university spokesman said Friday evening. The affected database was accessed on Sunday and was taken offline within 24 hours of the hack, according to a university statement. The database contained about 400,000 records, but the university said records for only 449 people were confirmed to have been accessed. http://www.lansingstatejournal.com/story/news/local/2016/11/18/msu-names-and-social-security-numbers-accessed-data-breach/94086880/ 748ED8C3-F9FF-4E10-9105-8CE4A6D317E3 Fri, 18 Nov 2016 10:07:18 -0600 Network security is a top priority for any company, and especially those that handle sensitive information. But it's not a DDoS attack or hack that brought the UK's National Health Service (NHS) to its knees today; it's a single, blank email sent to 1.2 million employees. As The Register reports, a blank email with the subject line "test" was initially sent out to a small number of recipients on a "CroydonPractices" distribution list. Somehow, the email then found its way into the inbox of every single employee with a NHS.net email address. And as is typically the case in these situations, some of those recipients responded (to everyone) asking to be removed from the list. http://www.pcmag.com/news/349549/one-blank-reply-all-email-causes-chaos-for-uks-health-ser 46B4E25D-F428-4293-ACA7-2D6DF349F9E2 Mon, 14 Nov 2016 14:26:56 -0600 An Arizona man has been charged with trying to hack into email accounts at over 75 universities nationwide. Jonathan Powell, of Phoenix, was arrested Wednesday and held for arraignment in Phoenix federal court. New York prosecutors allege Powell successfully mined accounts for private information at a New York school from his work computer at a Phoenix business. Powell targeted dozens of schools and successfully hacked into student email accounts at the New York school and one in Pennsylvania. He says Powell stole students’ personal information and searched photos for potentially embarrassing content. Prosecutors didn’t name the schools. http://www.azcentral.com/story/news/local/arizona/2016/11/02/arizona-man-jonathan-powell-charged-email-attacks-schools/93205966/ 868E0191-6EBA-4B97-BF2E-CB585BF3C609 Wed, 2 Nov 2016 07:51:05 -0500 In the latest breach of cybersecurity on campus, a trove of internal documents from the Office of Marketing and Communications were leaked by the anonymous hacker SCUWatch. Included in these documents were crisis management plans, university social media strategies and personal contact information for upper level administrators. According to Chief Information Officer Bob Owen, there are two ongoing, active investigations by the university into this latest leak and the previous breach of video surveillance footage. In an interview with The Santa Clara, Owen said that both leaks were the result of careless password management and not a breach of university systems or firewalls. http://thesantaclara.org/omc-targeted-in-latest-hack/ DF80E610-77AA-4575-AF78-604BDB78551A Thu, 27 Oct 2016 13:39:58 -0500 Despite technology's intention of making things simpler and easier, it's still susceptible to human error, malice or the adverse effects of dated technology. And when things go wrong, they can often go horrifically wrong. In our research for this series, we asked 8 higher ed CIOs to share their scariest campus IT horror stories. This is what they had to say. http://www.educationdive.com/news/8-cios-share-campus-it-horror-stories/428749/ B60C63B1-9D30-430A-94E6-EC3C85C2C2A9 Wed, 26 Oct 2016 13:42:51 -0500 UCF police have determined that a vendor whose restaurants had malware on its computers is the potential root of the spike in campus credit card fraud cases last month. The issue was found with AD Food Services, which operates Asian Chao, Huey Magoo’s and the Corner Café in the Student Union, the University of Central Florida said in a news release. Malware can include viruses, spyware and other unwanted software installed on computers without the owners' knowledge, according to the Federal Trade Commission. http://www.orlandosentinel.com/features/education/school-zone/os-ucf-fraud-cases-1010-story.html BACA18EF-F231-4263-9E1A-4FD6C8072CD2 Tue, 11 Oct 2016 13:04:10 -0500 More than 100 University of Central Florida students said their debit and credit cards have been hacked. This latest data breach comes just months after tens of thousands of students' Social Security numbers were stolen. The university said the breach involves businesses and restaurants on campus, not university-controlled areas like financial aid and housing. The university has ruled out the use of skimmers. Security experts said it's likely there is a vulnerability with the Wi-Fi encryption connected to payment processing. http://www.wesh.com/news/more-than-100-ucf-students-say-credit-debit-cards-hacked/41905714 AE037AD5-39C6-4BF7-A01F-4C900AF88419 Fri, 30 Sep 2016 08:39:51 -0500 People will do crazy things to get to the top of the "real money slots" search rankings. Last week, researchers at eTraffic uncovered a scheme that sent a certain site rocketing up the organic search rankings. When eTraffic investigated, 76 different university and foundation web pages -- including Stanford, New York University and Carnegie Mellon University -- had suddenly begun linking to the site, each randomly inserting linked keywords into otherwise unrelated text. Because Google’s search ranking is still largely based on keyword links from trusted sites, that was enough to propel the site to the top of the search ranking. http://www.theverge.com/2016/9/26/13059214/seo-hack-gambling-slots-google-search-results-stanford-nyu 0B0592D9-834C-4E5D-A627-D956B96058CB Mon, 26 Sep 2016 11:41:20 -0500 Police have arrested a Kennesaw State University student accused of hacking into the school’s system to change grades and steal personal data. Cobb County Police say Chase Arthur Hughes illegally accessed the university’s Owl Express program to alter his grades and the grades of four other students. Police say he also stole the personal data of his fellow students and, at least, three professors at the university. Using the professor’s professional accounts, police say he examined sensitive information, including employment history, credit, financial and medical information. http://www.fox5atlanta.com/news/206545219-story 5F22BFD2-68B1-48DE-96FF-9F5EA5BBBA85 Tue, 20 Sep 2016 10:37:34 -0500 On Tuesday, University of Alaska officials announced an attacker using employee credentials may have accessed student information. The breach occurred several months ago after the hacker established a "trust relationship" with a campus employee and then convinced the employee to log into a fraudulent web address using university credentials. Officials said that while student information was stored on a vulnerable network drive, there is no evidence that the information was accessed or stolen. http://www.scmagazine.com/university-of-alaska-breach-may-have-exposed-student-info/article/520975/ 005D8EB5-8172-4699-90B4-D3427197E0C6 Wed, 7 Sep 2016 13:28:22 -0500 The Medical College of Wisconsin has mailed letters to about 3,200 patients notifying them about a recently discovered security incident involving an employee's email account. On Aug. 3, the forensic investigation determined that an unauthorized third-party had accessed the email account over three days from July 2-4. The incident did not impact the security of any other MCW email accounts, networks or servers, according to the release. The email account in question contained full names, dates of birth, home addresses, medical record numbers, and codes or notes related to diagnosis or treatment provided. Also, the Social Security numbers of two patients were included in the email account. No health insurance, credit card, banking or other financial information was contained in the email account. http://www.wauwatosanow.com/story/news/2016/09/06/medical-college-wisconsin-discloses-information-security-breach/89910660/ 990319C6-6211-460F-B801-3948784A5D8C Tue, 6 Sep 2016 13:41:36 -0500 Healthcare organizations cannot afford to skip out on conducting regular risk assessments, according to several recent OCR HIPAA settlements. Failing to identify potential risks and vulnerabilities in ePHI security could lead to healthcare data breaches. An OCR HIPAA settlement was reached with the University of Mississippi Medical Center in July 2016, following allegations of multiple HIPAA violations. http://healthitsecurity.com/news/why-lacking-risk-assessments-may-lead-to-ocr-hipaa-settlements 7CC5C5F1-9C73-48F6-83BE-0817EBD84F9A Fri, 26 Aug 2016 11:08:03 -0500 According to Verizon’s 2016 Data Breach Investigations Report, the education sector ranked sixth overall in the US for the total number of reported "security incidents" last year. This was notably higher than two other industry sectors which have also been plagued with security problems: healthcare (153 percent higher) and retail (160 percent higher). Why do hackers like school systems? Because the education sector, particularly at the college and university level, is a virtual buffet of valuable data. http://www.huffingtonpost.com/entry/americas-schools-have-a-big-cybersecurity-problem_us_57bf0366e4b06384eb3e770b 50D1D780-4511-4FE0-98B5-B9356BC9D6CD Thu, 25 Aug 2016 11:02:28 -0500 Ronald Murray is accused of taking personal information from a University of New Mexico database and using it to go on a nearly $90,000 spending spree. Trujillo said Murray had a flash drive containing personal information for 1,300 former UNM students and employees. Police still don’t know how he obtained it. Trujillo said Murray used the personal information to make fake driver’s licenses, and in one week, racked up $87,957 in bills in other people’s name. http://www.koat.com/news/unm-students-employees-could-be-victims-of-id-theft/41256378 9A384926-8C54-4138-9AC5-D09E7CACCAC1 Wed, 17 Aug 2016 14:55:06 -0500 What could be more normal that heading to the university library, swiping your card and logging in to a computer? Most students wouldn’t think twice about it. But what they may not realise is that this mundane series of events leaves a unique data pattern that can be recorded, logged and reviewed, in a practice known as "learning analytics". And now data analysts are using this information to predict whether students will struggle with their courses, or drop out. Such techniques look set to become an integral part of university life in the future, much to the delight of advocates. https://www.theguardian.com/higher-education-network/2016/aug/03/learning-analytics-universities-data-track-students A11E8310-23D5-4D33-82E0-E5E1C0C94D21 Wed, 3 Aug 2016 11:10:52 -0500 The University of Mississippi Medical Center agreed to a $2.75 million settlement with the federal government for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Unsecured electronic health information on 10,000 people was breached when a laptop computer was found to be missing, according to the U.S. Department of Health and Human Services’ Office for Civil Rights. http://msbusiness.com/2016/07/ummc-fined-2-75-million-for-health-data-breach-on-10000/ 01272D65-A508-47FD-88F5-3B62C228FD82 Fri, 22 Jul 2016 07:58:17 -0500 Oregon Health & Science University has agreed to pay federal authorities $2.7 million for two data breaches in 2013 that involved more than 7,000 patients. OHSU also will enact a "rigorous three-year corrective action plan" as part of a resolution agreement with the U.S. Department of Health and Human Services Office for Civil Rights, according to a statement released Wednesday. The two breaches occurred within three months of each other. http://www.oregonlive.com/health/index.ssf/2016/07/ohsu_pays_nearly_3_million_ove.html 7DDD2B99-595E-49E0-9E16-FE151122C203 Wed, 13 Jul 2016 08:24:18 -0500 N.C. State University says it has notified 38,000 current and former students that some of their personal information may have been accessed by someone who hacked into the university’s computer system. NCSU officials say someone accessed a university email account using a "sophisticated phishing scam" and got access to a file from 2013 that included names, mailing addresses, university ID numbers and Social Security numbers. Officials say there is no evidence yet that any of the personal data have been retrieved or misused. http://www.newsobserver.com/news/local/education/article88510572.html 61FA6A26-0B3C-47E0-B405-0189EC2B29D0 Fri, 8 Jul 2016 07:55:39 -0500 As of June 28, the total number of breaches captured in the 2016 ITRC Breach Report hit 500, an increase of 18.8 percent over last year's record pace for the same time period (421). Of these, the CEO spearphishing breaches continue to represent nearly one-third of the total breaches reported. Year-over-year, breaches in the Education sector are up nearly 73 percent over 2015 figures, followed by the Business sector up 34 percent, and the Medical / Healthcare field up 16.8 percent. The Government / Military sector continues to show a decline from last year's figures, down 3.3 percent, with the Banking / Financial / Credit category down 64 percent. http://www.idtheftcenter.org/images/breach/DataBreachReports_2016.pdf 36D8845A-0804-4412-920F-AB7AA1C66FAB Thu, 30 Jun 2016 13:49:16 -0500 The Internet of Things (IoT) presents a range of opportunities and challenges. One challenge is network security and physical safety. More connections to the Internet, with more sensors and other devices, create access to the network from potential cybersecurity breaches. And physical safety can be one of the most important issues to a campus community. In fact, safety can be the reason a student might select a specific college or university. A variety of sensors, especially cameras, can now be completely integrated into a public safety system. This allows for quicker response times to an incident, making campuses safer. However, higher education institutions should also consider the policy implications of greater visibility into the lives of students and should be sure to balance privacy and safety. Including students in those policy discussions is one of the best practices that I have seen. http://er.educause.edu/articles/2016/6/the-internet-of-things-riding-the-wave-in-higher-education DA1E9D8E-C521-4FFB-B4DD-0CA54FF66C7C Mon, 27 Jun 2016 13:32:33 -0500 Two-dozen student email addresses at West Virginia State University were "compromised" earlier this year, but the students weren’t told that someone else might have gotten into their accounts. WVSU’s information technology department received a list in March of about 1,600 email addresses. The person who sent the list said they had been hacked by someone, according to WVSU spokeswoman Kimberly Osborne. Osborne wouldn’t say who gave the school the list or how the person got it. http://www.wvgazettemail.com/news-education/20160603/wvsu-email-accounts-compromised-earlier-this-year 66425AA7-FAC0-4B35-9207-382D8801AA3C Fri, 3 Jun 2016 09:12:53 -0500 For decades, it seems, public speaking was America’s biggest phobia. However, a recent study from Chapman University found that’s changed: Cyber-terrorism, corporate tracking of personal information, government tracking of personal information, identity theft and credit card fraud are now five of the top 10 fears held by Americans. Even a few of the other five fears tangentially relate to cybersecurity, with public speaking nowhere in the top 10. http://www.informationsecuritybuzz.com/articles/nothing-fear-data-incident/ 93B22B81-1CF8-4AD1-BB39-D7637ED0FEE1 Wed, 25 May 2016 12:50:01 -0500 A FOX 35 investigation has revealed that in the months leading up to a cyber security breach at the University of Central Florida, leaders decided against an important cyber security measure. In February, the university announced that hackers had gotten ahold of the Social Security numbers of 63,000 students, staff, and alumni. According to the university the breach happened in December of 2015. A memo written by the university’s Information Security Office and published in January of 2015 warned of what an independent security expert called a major weakness in the university’s cyber security plan. http://www.fox35orlando.com/news/local-news/137565419-story CC7B3B99-4FE8-44A5-AEF3-1559E772DAFC Fri, 6 May 2016 12:47:19 -0500 A denial of service attack shut down the University of Georgia’s web sites Sunday evening, but as far as investigators were able to determine, no university systems or data were compromised by the attack, said UGA Vice President for Information Technology Tim Chester. According to an email distributed to UGA email users, the attack began shortly after 6 p.m. and lasted until about 10 p.m., when UGA and the consortium that provides Internet connectivity were able to begin blocking the attack, which ended soon afterward. As Chester explained in his email, a "distributed" denial of service attack is when traffic from any IP addresses outside a network flood UGA’s network with enough digital traffic to use up UGA’s entire bandwidth allocation from the Southern Crossroads consortium, run by Georgia Tech. The consortium includes major universities and other institutions in Georgia and five other Southeastern states. While the attack lasted, no one on campus could get on the Internet. http://onlineathens.com/mobile/2016-03-28/attack-shuts-down-uga-internet-access 859F1815-1D3F-4D6C-8E96-C61C45EABB83 Mon, 25 Apr 2016 08:50:14 -0500 Rockhurst University on Wednesday notified about 1,300 employees that someone had stole personal information from their IRS W-2 forms through a data breach. The theft, which includes Social Security numbers, occurred April 4 and was discovered April 6. None of the victims has reported any loss from the phishing incident, school officials said Wednesday. Rockhurst says the breach occurred when someone impersonating a university administrator requested W-2 information and provided a bogus email address. http://www.kansascity.com/news/local/crime/article71627842.html BE4B1F51-4B85-4B3F-A06A-2C31BFA97D6C Wed, 13 Apr 2016 07:54:40 -0500 At least 600 current and former Stanford employees are vulnerable to tax fraud following the illegitimate download of their W-2 forms through a third-party service. The security breach is presumably responsible for a rash of tax scam cases disclosed to Stanford, starting on April 1. As of April 7, 23 Stanford employees had reported phony tax filings to the University for this year. That number is still growing as more employees file their taxes, although it remains under 100, according to Stanford spokesperson Lisa Lapin. Lapin could not give a more specific number. A perpetrator or group of perpetrators had used hundreds of Stanford employees’ Social Security numbers and dates of birth to download W-2 forms from the vendor W-2Express, which the University uses to make tax forms accessible online. http://www.stanforddaily.com/2016/04/12/university-employees-vulnerable-after-tax-data-breach/ C3B56CC0-9155-4A7B-9577-4DEFA4DB5DFC Tue, 12 Apr 2016 14:13:15 -0500 Kentucky State University in Frankfort has informed its employees about a data breach, including information from W-2 tax forms. On Tuesday, the university posted this alert on its website: "This correspondence is to inform you of a data breach that occurred on March 22, 2016, and involved the inadvertent disclosure of personally identifiable information of current and former Kentucky State University ("KSU") employees. The data included KSU W-2s for 2015 and University identification information." The posting said KSU "has already taken action to limit the effects of this breach and to identify" the responsible culprits. Federal and state authorities have been notified and are investigating this incident, KSU said. Earlier this month, the Internal Revenue Service issued an alert to payroll and human resources professionals to beware of a phishing email scheme that purports to be from company executives and requests personal information on employees. http://www.kentucky.com/news/local/crime/article68960237.html C1BA8142-866B-4F1B-8B23-76F2FF9F32B6 Wed, 30 Mar 2016 16:36:25 -0500 An infamous black hat hacker and internet troll has admitted to hijacking 29,000 printers in dozens of college campuses across the US to remotely print out multiple copies of racist and anti-Semitic flyers between Thursday to Friday 24-25 March. Andrew Auernheimer, known as Hacker Weev, explained in a blog post how he was able to exploit a vulnerability in certain online printers. Auernheimer used a single line of Bash script code to scan the internet for unprotected printers that were connected to the web using the open port 9100, and then created a PostScript file containing a flyer advertising a white supremacist news website called Daily Stormer. Since the printers were programmed to automatically print this file format out, they immediately complied. The flyers were discovered at multiple colleges, including Princeton University, Brown University, Yale, University of California at Berkley, Northeastern University, DePaul University, Smith College, UMass Amherst, University of Wisconsin-Milwaukee, Depaulia, Mt Holyoke and Clark University, according to the multiple US TV channels that picked up the story over the weekend. http://www.ibtimes.co.uk/hacker-weev-hijacked-29000-printers-spew-anti-semitic-flyers-across-us-colleges-1552005 4A366C33-47AB-4C0C-A58B-8791C165A26E Tue, 29 Mar 2016 08:44:42 -0500 A university in Montréal, Québec discovered keylogger devices on computer workstations used by students in university libraries. University officials reported the incident to local authorities and are increasing security in the areas where public computers terminals are located, according to Concordia University's media relations director Christine Mota. In speaking with SCMagazine.com, Mota said physical keylogger devices were found on "a few" of the university's standing workstations. The more common attack method, keylogger malware, was not used. The university said its security network was not affected. The affected express workstations were available to university students, staff, retired faculty, and alumni for up to 10 minutes. Montréal universities have an agreement in which university students attending any university in the city can use the libraries at any other university. As a result, students at any Montréal university may have been affected. http://www.scmagazine.com/concordia-university-discovers-keylogger-security-incident/article/485609/ 868FC143-5B5D-423D-A64D-9601F535170A Fri, 25 Mar 2016 13:41:36 -0500 A California college student hacked the student account of a Carnegie Mellon University student to steal her identity and attempt to get credit cards and personal loans in her name, federal prosecutors said. A federal grand jury indicted Dennis C. Liu, 23, of San Marino, Calif., in May on three counts of computer fraud, one count of bank fraud and one count of identity theft. The indictment was kept under seal until police arrested Liu Tuesday. Liu, a student at University of California-Davis, accessed and altered the CMU student's account in January and February 2014, prosecutors said. Using her Social Security number and other personal information, he applied for loans and credit cards at six different banks between January and April 2014, prosecutors said. http://triblive.com/news/allegheny/10072416-74/student-liu-prosecutors 3EE0D309-1745-406B-A291-507C37255B4A Wed, 2 Mar 2016 10:33:49 -0600 A data breach at Illinois State University caused the payroll of 13 university employees to be misdirected. Chief of Staff Jay Groves explained they’re working with local, state, and federal employees to find where the breach came from. "We found out about it yesterday (Monday) afternoon, immediately informed the 13 people of the compromise situation, made them whole by putting money back in their accounts so they can put it in their own bank," Groves said. Groves added it appears at least five other universities have been affected by this data breach -- none of which are in Illinois. "Don’t want to go too far into the detail of that, of course, because I don’t want to compromise the investigation," he said. ISU has sent an email to all employees informing them of the situation and advising them to be on the lookout for suspicious activity on their accounts. http://www.wjbc.com/2016/03/01/data-breach-at-isu-causes-misdirected-payments/ 281F83D6-ACAD-4372-BFF6-0C351EE73254 Tue, 1 Mar 2016 08:08:56 -0600 Officials at the University of California Berkeley said on Friday that they were alerting 80,000 people, including current and former students, faculty and vendors of a cyber attack on a system that stores social security and bank account numbers. The San Francisco Bay Area university said there was no evidence that attackers actually took any personal information, but that it was still alerting the 80,000 individuals to be on the lookout for misuse of their information. The school said a hacker or hackers gained access to its financial management software in late December due to a security flaw present when the system is updating. Officials have notified law enforcement, including the FBI, and hired a private computer investigation company. The university said among the potentially affected are 57,000 current and former students; about 18,800 former and current employees; and 10,300 vendors who work with the school. Those figures come out to about half of the school's current students and two-thirds of its active employees. http://news.yahoo.com/university-california-notifies-80-000-cyber-attack-203120829--sector.html 82092158-2DE6-4550-87C1-4004ED2DC597 Fri, 26 Feb 2016 15:05:17 -0600 A 17-year-old Jacksonville State University student used a staff member’s credentials to access the personal information of more than 40,000 current and former students leaked online earlier this week, university officials said Thursday. Vinson Houston, JSU’s head of information technology, said that the suspect accessed one of the many ancillary systems maintained by various units and departments on campus. "We found out that the guy got access to the information in one of those systems and was able to extract it," Houston said in his office. "We feel confident that the way he was able to do that was by obtaining the credentials of one of the individuals that had access to that system." Houston said he spent the week working alongside U.S. Secret Service officials to find the person responsible for a website that he became aware of Tuesday afternoon. The site, which was still live as of Thursday evening, allows visitors to search for names of JSU students and pull up their pictures, home addresses, phone numbers, birth dates among other information. Information was released for students who enrolled at the school dating back to 2007, Houston said. http://www.annistonstar.com/news/jsu-official-student-used-staff-member-credential-to-leak-data/article_5436fa8c-dc11-11e5-b15d-13efc8a28b70.html AACD123F-1E87-419E-8B01-0F2D1E4FD312 Thu, 25 Feb 2016 08:05:17 -0600 The personal information of 4,100 employees, students and alumni of the University of Mary Washington was compromised after an employee’s laptop was stolen in January. According to the university, the laptop contained the names, addresses and Social Security numbers of those affected, and was swiped while the employee was using public transportation. "We have no indication that the information has been or will be misused," said UMW spokeswoman Marty Morrison. "But we sent letters on Feb. 4 out of an abundance of caution to individuals whose information was contained on the laptop." The information was downloaded onto the laptop against university policy. The employee has been disciplined and the university is retraining employees on proper information standards. http://www.fredericksburg.com/news/education/umw-warns-about-possible-data-breach/article_a09feef8-d68d-11e5-bbaf-af36f7edefa9.html CF0A9468-6EA9-4158-92BF-52CF64AA5945 Thu, 18 Feb 2016 12:57:02 -0600 On December 6, 2015, an OHSU research student’s car was broken into and a hard drive was stolen. The hard drive may have contained health information about Neonatal Intensive Care Unit patients admitted to the unit in 2013 who were enrolled in a research study about the potential effect of aminoglycoside antibiotics on hearing. The information included the patient’s full name, date of birth, medical record number, diagnosis, doctors name, and some clinical information related to the research. The information did not include address, phone number, any insurance information, social security number, or other identifiers that we believe would result in financial harm to patients or their families. Patient contact information, address or other identifiers were not included. http://www.ohsu.edu/xd/about/news_events/news/2016/02-10-data-breach-incident-dec.cfm CACE4C2C-0C0E-45AF-A250-7793470F702B Wed, 10 Feb 2016 12:48:17 -0600 In an unprecedented data breach at University of Central Florida (UCF), about 63,000 Social Security Numbers (SSN) and names of former and current students and UCF staffs were hacked, revealed the University official on Thursday. Among those affected include about 600 current student-athletes, former student-athletes who last played sports in 2014-15, student staff managers for the teams and other related positions. However, the bulk of those whose information was compromised are current UCF employees as well as those who worked at UCF as far back as the 1980s. http://www.orlandosentinel.com/features/education/school-zone/os-ucf-data-hack-students-story.html ADF11681-FCD7-454B-9B0A-521E47400B44 Thu, 4 Feb 2016 11:27:44 -0600 Hackers accessed numerous computer records containing personally identifiable information belonging to University of Virginia employees, part of a "phishing" scam that also included some bank records, school officials announced Friday. An FBI investigation into data exposure at several U.S. colleges and universities found that overseas hackers, who are now in custody, gained access to records for 1,400 U-Va. employees, including W-2 tax forms from 2013 and 2014, U-Va. officials said in a statement. The direct deposit bank records for 40 employees also were stolen, U-Va. officials said. https://www.washingtonpost.com/news/grade-point/wp/2016/01/22/phishing-hack-at-the-university-of-virginia-compromises-employee-computer-records/ 4A9DA0E4-C829-432F-9063-5EE2C309C508 Fri, 22 Jan 2016 12:51:47 -0600 A Georgia resident linked to the University of Northern Iowa data breach has been charged as part of a tax refund scheme in Iowa. More than 100 UNI employees reported receiving rejection letters from the IRS when they filed their taxes in 2014. That was because someone had already filed taxes on their behalf and collected their refunds. On Friday, officials with the U.S. Attorney’s Office for the Northern District of Iowa filed an information charging 45-year-old Bernard Ogie Oretekor with theft of government property and aggravated identity theft. http://wcfcourier.com/news/local/crime-and-courts/man-linked-to-uni-data-breach-arrested-on-identity-theft/article_76327453-f736-5b83-83c5-9f6610fc1ddb.html 324DCC18-B74F-4461-A8C0-BF458BA04B17 Sun, 17 Jan 2016 09:21:58 -0600 Indiana University Health Arnett recently reported that information of more than 29,000 patients has gone missing, according to hospital system officials. An unencrypted USB flash drive, which stored the data, disappeared Nov. 20 from the hospital's emergency department at 5165 McCarty Lane. The flash drive contained spreadsheets with information from emergency department patients dating back to Nov. 1, 2014. The information includes patient names, dates of birth, home telephone numbers, medical record numbers, physician names, diagnoses and dates of service. http://www.jconline.com/story/news/2016/01/05/iu-health-arnett-reports-missing-patient-info/78300400/ 95817A5A-2AF3-4DC6-AE31-0BD4AC8AAB35 Tue, 5 Jan 2016 08:16:16 -0600 Southern New Hampshire University (SNHU) says they're investigating how a database containing some student and class information was exposed to the public. The exposed SNHU database contains more than 140,000 records including student names, email addresses, and IDs; as well as other class-related details such as course name, course section, assignment details and assignment score. The database also contains instructor names and email addresses. SNHU says the database was exposed by a third-party vendor (configuration errors), but they wouldn't name the vendor in question. http://www.csoonline.com/article/3019278/security/snhu-still-investigating-database-leak-exposing-over-140-000-records.html 40EB2599-7E1A-4652-914B-F75E11520AAE Tue, 5 Jan 2016 07:40:27 -0600 The Kean University website was hacked three times Sunday and into early Monday morning by what the college and its police department believe to be an Algerian group calling itself "Red Hell." "Kean University's externally hosted website was hacked twice in the past 24 hours by a group calling itself Red Hell, claiming to operate out of Algeria. They posted a despicable message. The site was disabled as soon as we were informed of the breach. A new firewall was enabled and the site became operational again at 3 p.m. today." https://www.tapinto.net/towns/east-orange-slash-orange/articles/kean-university-hacked-three-times-in-one-day-al-18 4CF99E6B-FF3C-466D-9A99-D8736E925185 Mon, 21 Dec 2015 08:03:00 -0600 UCHealth in northern Colorado is notifying approximately 800 patients that an employee inappropriately accessed their electronic medical record information. Letters to these patients have already been mailed, and affected patients will receive the letters over the coming days. http://www.databreaches.net/u-colorado-health-notifies-827-patients-that-employee-snooped-in-their-records/ EFCD4141-C815-4F02-9114-F57FDB332016 Mon, 7 Dec 2015 07:48:51 -0600 An academic institution has been providing information to the FBI that led to the identification of criminal suspects on the dark web, according to court documents reviewed by Motherboard. Those suspects include a staff member of the now-defunct Silk Road 2.0 drug marketplace, and a man charged with possession of child pornography. It raises questions about the role that academics are playing in the continued crackdown on dark web crime, as well as the fairness of the trials of each suspect, as crucial discovery evidence has allegedly been withheld from both defendants. http://motherboard.vice.com/read/court-docs-show-a-university-helped-fbi-bust-silk-road-2-child-porn-suspects 88E52D66-3F70-449A-A6D0-A6F60769C712 Thu, 19 Nov 2015 10:12:17 -0600 More than 1,000 patients of UC Health may have had their private information exposed, all because of an email address mixup. The mistake -- two letters switched in an email domain name (the part after the @ sign) -- happened nine times starting in August 2014, spokeswoman Diana Lara said late Friday night. The emails were supposed to stay within UC Health, Lara said. http://www.wcpo.com/news/local-news/hamilton-county/cincinnati/uc-health-privacy-breach-affects-1064-patients DD475140-7461-49BB-ACA9-B5832CB4416E Sat, 14 Nov 2015 00:00:00 -0600 The University of Illinois will spend over $2 million because of its handling of a social media situation that might have been avoidable. http://www.inc.com/joseph-steinberg/how-a-single-social-media-blunder-cost-a-university-$2-million.html 4012D461-7AC4-4E14-A683-E396D8491885 Fri, 13 Nov 2015 00:00:00 -0600 A University of Iowa military and veterans education specialist has been fired for using ''inappropriate language'' in an email sent from his UI address in an official capacity. ''A member of the Student Veterans Association at the University of Minnesota sent an email that the employee found insulting,'' according to the appeal. The employee responded to that member with an email -- and copied several others, including the Minnesota association's president -- in which he called the person vulgar names and used expletives. http://www.thegazette.com/subject/news/education/higher-education/university-of-iowa-veterans-education-specialist-fired-for-inappropriate-email-20151102 2B038F52-142C-4153-A59F-9259E4971F68 Fri, 6 Nov 2015 08:57:27 -0600 Prosecutors say a Nebraska man who didn't get the promotion he wanted at an Iowa college has been convicted of hacking without authorization into several of the university's computers and email accounts. http://www.washingtontimes.com/news/2015/oct/30/nebraskan-pleads-guilty-to-hacking-computers-at-io/ 7655948B-086D-472D-B12D-7B4497AF163B Fri, 30 Oct 2015 08:43:56 -0500 University of Oklahoma College of Medicine notified 9,300 patients of a possible HIPAA breach after a laptop was stolen from a physician's car. The laptop included personal information and medical records. http://www.databreaches.net/u-of-oklahoma-college-of-medicine-department-of-obstetrics-gynecology-notified-patients-after-laptop-stolen-from-physicians-car/ 17CAF311-9B3E-4DD7-953D-2E83DC391043 Wed, 14 Oct 2015 00:00:00 -0500 A rash of hacking attacks on U.S. companies over the past two years has prompted insurers to massively increase cyber premiums for some companies, leaving firms that are perceived to be a high risk scrambling for cover. The price of cyber coverage - which helps cover costs like forensic investigations, credit monitoring, legal fees and settlements - varies widely, depending on the strength of a company's security. But the overall trend is sharply up. http://uk.reuters.com/article/2015/10/12/uk-cybersecurity-insurance-insight-idUKKCN0S609S20151012 7581F518-0CAD-4F6D-95D7-C51635E5A778 Mon, 12 Oct 2015 10:55:53 -0500 Someone is tormenting Rutgers University. The New Jersey school announced Monday it was fending off a distributed denial-of-service attack that crippled its Internet and Wi-Fi access. The latest cyberattack on a major U.S. research institution comes after a number of similar hacks against Rutgers, a school of approximately 65,000 undergraduate students. http://www.ibtimes.com/hacker-exfocus-blamed-knocking-rutgers-university-offline-ddos-attack-even-after-2117247 7A56507B-9C9C-4CC9-BAC6-D83EE4BC82CE Mon, 28 Sep 2015 11:05:57 -0500 The employee records of a number of University of Calgary staff members were fraudulently accessed, and banking records altered, during an 'isolated breach' that is being investigated by the Calgary Police Service. In a letter to University of Calgary staff, Linda Dalgetty, vice president of finance and services, says 29 employee records on the PeopleSoft system were accessed, of which, 13 were altered during the security breach. The comprised accounts have been locked and removed from the school's internal network. http://calgary.ctvnews.ca/police-investigate-security-breach-of-university-of-calgary-s-peoplesoft-system-1.2583492 9048ECEF-6969-4497-942C-9C39537E5A14 Sun, 27 Sep 2015 11:06:50 -0500 A laptop stolen from a member of the faculty of LSU Health New Orleans School of Medicine has potentially exposed the protected health information of approximately 5,000 minor patients primarily living in Louisiana and Mississippi. The information on the laptop included names, dates of birth, dates of treatment, descriptions of patients' conditions, treatments, and outcomes, lab test results, radiological and ultrasound images, medical record numbers, and diagnosis and treatment information. No Social Security numbers, credit card, bank account information or other financial data were stored on the laptop. http://www.ksla.com/story/30037676/stolen-laptop-potentially-exposes-health-information-of-5000-minor-patients-in-la-ms 89433BE2-F25D-4BAA-87D8-15F625D5D4FE Tue, 15 Sep 2015 11:08:13 -0500 Attacks against university networks and those who use them are on the rise. Symantec's 2015 Internet Security Threat Report (ISTR) found that education was the third-most breached sector in 2014, accounting for 10 percent of total incidences -- and that number is only expected to rise. http://techcrunch.com/2015/09/10/this-could-be-the-year-of-the-university-hack/#.fc6nls:xfQx 1B93F216-C277-4C0E-B1CC-3249C777F796 Thu, 10 Sep 2015 11:08:43 -0500 A data breach through a third-party vendor exposed the personal information of 79,000 California State University students in late August, officials with the Chancellor's Office confirmed Tuesday. The CSU Chancellor's Office in Long Beach said the breach -- which included information such as sexual orientation, gender, email and mailing addresses -- was discovered Aug. 28, affecting students at eight CSU campuses who had enrolled in a required sexual assault training program. http://www.presstelegram.com/social-affairs/20150908/csu-79k-students-had-data-breached-on-third-party-website 0BD2CE62-E91B-45C1-9296-B0BAFB71E360 Tue, 8 Sep 2015 11:09:10 -0500 UCLA Health announced Tuesday that 1,242 patients are being notified about the theft of a faculty member's laptop computer containing names, medical record numbers and health information used to prepare patient treatment plans. According to UCLA, no Social Security numbers, health plan ID numbers, credit card numbers or other financial data were stored on the stolen laptop, which was password protected and was reported stolen on July 3. http://www.dailynews.com/general-news/20150901/ucla-health-notifying-1242-patients-about-stolen-laptop-containing-personal-health-info DD915759-2E20-4A68-8DF5-F3CE0B53BDA0 Tue, 1 Sep 2015 11:09:51 -0500 The identity of the hacker or hackers who crippled Rutgers University computer networks at least four times during the last school year is still a mystery. But Rutgers is spending big money to make sure cyber attackers don't knock the school offline again. http://www.nj.com/education/2015/08/who_hacked_rutgers_university_spending_up_to_3m_to.html 6D6646F9-7E5F-4686-97A1-8DEA9D6ED47B Sun, 23 Aug 2015 11:10:47 -0500 A woman who worked at Winthrop-University Hospital was arrested after stealing patients' personal information, Nassau police said Friday. Jasmine Sanchez, 33, of Lawrenceville, Georgia, was an account representative for the Mineola-based hospital when she stole Social Security numbers and credit card information while she worked out of a Bethpage office, police said. http://www.newsday.com/long-island/nassau/winthrop-university-hospital-worker-charged-with-stealing-patients-personal-information-cops-say-1.10762842 940D990A-B1D8-4916-900E-3F359D40D09D Fri, 21 Aug 2015 11:12:36 -0500