Not even the college president was immune from the breach, which officials say occurred between May 21 and Sept. 24 of this year, when the attacker or attackers accessed a folder on the server that stored multiple files containing sensitive information. Some 50 university employees had suffered identity theft at this time, according to Ty J. Handy, president of NWFSC.
"No one file had a complete set of personal information regarding individuals. However, by working between files, the hacker(s) have been able to piece together enough information to be able to engage in the theft of identity of at least 50 employees. We know by working between files data regarding Name, Social Security Number, Date of Birth, and Direct Deposit Account numbers were accessed," Handy wrote in memo this week to university employees. "Additional directory information such as address phone numbers, college email address, etc. was also likely compromised."
NWFSC officials say they think it was a coordinated attack and that the hackers had to work to collate enough information on each victim to conduct identity theft. "We do not believe the hackers have accessed this information about all 2,200 individuals but this potential does exist," Handy said.
Student birthdates and Social Security numbers may also be among the stolen information, but there's no evidence of that thus far. No academic information was exposed, however.
"We believe a few vendors (less than 40) with whom we do electronic funds transfers for bill payments may also have had account information taken but, again, we have no concrete evidence this information was taken," Handy said.
The names, Social Security numbers, birthdates, and other personal information of students across the state who were eligible for the Bright Futures scholarship program during the 2005-06 and 2006-07 academic years were exposed, as well, in the attack.
The university hopes to know by the end of the week exactly whose information was compromised, and will alert each victim individually as soon as possible, Handy said.
"I regret that this situation has occurred. It is most unfortunate. I applaud the quick response and hard work of the IT department to identify and close the access point and for their ongoing efforts to ferret out what and who was compromised once they became aware of the infiltration. I recognize that this is a significant hassle for those whose information is used to commit Identity Theft. I was one of the first seven or eight to be hit personally and I have spent several hours on the phone working with my bank and others to protect myself. It is not an enjoyable experience and for that I apologize," he said.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.