Oregon State University officials announced Friday that a cyberattack had exposed the data of 636 students, prospective students and family members to hackers.
Steve Clark, vice president for university relations and marketing for OSU, said a university employee’s email account was hacked in early May. He said the purpose of the initial attack appears to have been to phish for information from people by sending them emails that appeared to be from the university. However, he said, a forensic review revealed that the names, birthdates, Social Security numbers and other personal information for students, prospective students and their family members also were accessible through the university employee's account.
“OSU is continuing to investigate this matter and determine whether the cyberattacker viewed or copied these documents with personal information,” Clark said. “While we have no indication at this time that the personal information was seen or used, OSU has notified these students and family members of this incident. And we have offered information about support services that are available, including 12 months of credit monitoring services that the university will enable at no cost.”
Clark said the employee had access to personal information of students and their family members because the employee worked with prospective students to determine if they could be admitted to the university or could qualify for financial aid.
Clark said university systems identified the breach after it occurred, and since then officials have been working to understand the extent of the breach. He said they also have been in contact with the FBI and local law enforcement agencies.
“Before we can announce a breach it was essential we know the extent of the breach and have a way to support those whose personal information may have been breached,” Clark said.
OSU has a customer service call center set up to give people whose data could have been accessed through the breach information about how to monitor or freeze their credit, if they believe it is necessary. That call center can be accessed at 541-713-0400.
Clark said the university is constantly working to make sure it is using best practices for cyber security.
“We will continue to examine our policies and procedures and expand their protections," he said.
This story may be updated.