A data breach has turned scores of Northwest Florida State College (NWFSC) employees into victims of identity theft in the aftermath of a massive data breach affecting nearly 300,000 people, including current and former students.
The employee data was breached between May 21 and Sept. 24 after one or more hackers accessed a folder on the school's main server. According to school officials, an internal review between Oct. 1 and Oct. 5 revealed that 76,000 current and former students of Northwest Florida State College (NWFSC) had their personal information exposed in the breach, as did approximately 200,000 students from Florida who were eligible for the Bright Futures scholarships for the 2005-2006 and 2006-2007 school years.
In addition, more than 3,000 current and retired employees had their information exposed as well, making the breach one of the more extensive security incidents affecting a college in recent memory.
ThreatMetrix, an IT security vendor focused on fraud-prevention tools, recently ranked the highest-risk universities in the country based on the number of risky online transactions either held for manual review or rejected by university networks. Among the leaders on the list were New York University (NYU), George Mason University and Harvard University. According to the firm, NYU is ranked No. 1 because when the transactions collected by ThreatMetrix were reviewed, they originated from 14 different time zones.
Since these transactions are all either from servers on the university's networks or students connecting to the networks, uncompromised transactions should all originate from one time zone. This means the transactions from other time zones indicate the use of either a proxy or VPN provider or a compromised network, the company explained.
"Many of the top 50 were some of the leading universities in the U.S. which reflects the fact that their students, staff and administration services such as payroll are going to be high value targets for international criminals," said Alisdair Faulkner, chief products officer at ThreatMetrix. "In addition 14 of the top 50 universities were recently breached by GhostShell which suggests that a large number will be shown to have compromised servers over the coming weeks. Once one criminal finds a hole, a river of crime quickly flows through."
In the case of the NWFSC, the exposed information includes names, social security numbers and birthdays. According to the college, the personal information exposed also includes the direct deposit bank routing and account number information of employees. As of Oct. 8, 50 employees had reported issues with identity theft, including the college president.
“We provided information to employees as soon as we had an indication that there was an issue–when we initially had reports from five employees that their direct deposit accounts had been unlawfully accessed,” said Dr. Ty Handy, college president, in a statement. “We needed employees to take immediate steps to individually review and protect their personal data. As they did, more employees began to report issues once they reviewed their information."
“We know that from May 21, 2012 until Sept. 24, 2012 one or more hackers accessed one folder on our main server," Handy said. "This folder had multiple files on it. No one file had a complete set of personal information regarding individuals. However, by working between files, the hacker(s) have been able to piece together enough information to be able to engage in identity theft for at least 50 employees."
Police have been contacted about the NWFSC incident.
"The vast majority of attacks against universities are opportunistic in nature (rather than highly targeted against a particular school or system), and exploit simple vulnerabilities," explained Josh Shaul, CTO of Application Security. "Most commonly, we see SQL injection as the attack vector, which is a technique that attackers have been using with great success for at least a decade now. Universities are clearly under attack, but rarely have the budget to spend to completely defend themselves."