It was around 4 p.m. when it happened. The first Tuesday of class.
An outsider accessed a ULM Foundation employee’s email, possibly compromising the personal information of last year’s graduates.
According to Vice President Stephen Richters, it was a phishing attack that caused the breach.
It was disguised as an email from ULM’s computing center.
The scam email was sent to 80 people saying there was a problem with their account. It requested their password to fix the problem.
An employee responded with their password and the account was immediately accessed.
“It was twenty minutes before we were able to shut it down. We have no idea what was accessed. They may not have had time to look at anything. We just can’t tell,” Richters said.
But a file in the employee’s email contained information, including Social Security Numbers of recent graduates.
Richters declined to specify how many were on the file and possibly affected by the security breach, but said it was “quite a few students.”
“We emailed those graduates, followed up by a letter. That state attorney general requires us to do that,” Richters said.
He said they also sent them various websites about identity theft.
Student in the Dark
Grimsley, who graduated in the spring with a B.S. in biology, received an email on Aug. 21 notifying him of the breach.
He was appalled. He has not received anything since.
No information. No letter. Grimsley finds it upsetting that he hasn’t received any follow up.
He doesn’t know what to do and said he was given no suggestions by the university other than “monitor your accounts.”
“The only notification I have is the initial email which only apologized for any inconveniences,” said Grimsley. “I feel left in the dark.”
Grimsley also feels a lack of trust for the staff that handles personal information.
“The ‘send all your credentials to this address’ is the oldest phishing scam in the book,” said Grimsley. “For someone to have a job handling sensitive information, they should be able to avoid an obvious scam.”
He was upset that his Social Security Number may have been sitting in “a plain text file on someone’s email account.”
“This university has fallen to a similar scam before not to long ago, you would think they would be on guard for at least the same exact scam,” Grimsley said.
Breach of 2012
ULM experienced a similar situation in 2012, according to privacyrights.org.
It states hackers accessed the information of those in the Upward Bound program, a federally funded program to assist low income prospective students.
A file in the employee’s email included the personal information of 83 high school prospects, three employees and 35 students within ULM, according to privacyrights.org.
But Richters said Upward Bound is not necessarily a ULM program and the hacking wasn’t specific to ULM.
“It was some individuals who work through the university,” Richters said. “That was a breach of whatever protocol they had in that program.”
Trying to Solve the Problem
Richters said they are looking into software that will search through the email server from the past couple years and delete personal information.
According to Richters, no one should have a file of Social Security Numbers as they use campus wide IDs.
Only externally, such as with FAFSA, would social security come into play.
“That a file with this information was found is a real anomaly. But it’s one of those things that happened that never should have happened,” Richters said.
The phishing attack was tracked back to a server in Croatia. Richters said it could have bounced through many servers before it got there.
According to Richters, ULM gets phished several times a year but he doesn’t think anyone has ever responded until now.
Richters’ rule of thumb is never send out passwords or personal information.
If he receives an email with an odd attachment or link, he deletes it.
Grimsley found it unsettling that all services he found to protect against identity theft and credit card fraud cost money or are retroactive, meaning he would have to wait until someone utilizes his credentials before action is taken.
“I have to pay money to protect my money and myself. So many people my age don’t understand how easily and badly this kind of thing can happen to them,” Grimsley said.
According to the Better Business Bureau, it takes longer for people aged 18 to 24 to detect identity theft.
The average loss college aged people experience is five times more than other age groups.