Cyber Incident Victim: Western Governors University
Date:
Aug 2015
Location:
United States of America
Summary
A hacker known as JM511 compromised multiple universities, including Western Governors University, through SQL injection and cross-site scripting (XSS) vulnerabilities, exploiting insecure web applications and databases. The attacker publicly disclosed vulnerable URLs used in the breaches and warned institutions prior to attacks, though no personal data was confirmed as exfiltrated from this particular university. At another targeted institution, compromised data included user credentials, email addresses, and names, with some passwords stored in plain text. The incidents highlighted systemic security weaknesses across multiple educational institutions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In August 2015, a hacker using the alias JM511 conducted a series of cyberattacks targeting multiple American universities, including Western Governors University (WGU) in Utah, the University of California at Los Angeles (UCLA), the University of Minnesota, DePaul University, and Northern Illinois University. The attacker employed SQL injection and cross-site scripting (XSS) vulnerabilities to compromise institutional systems. JM511 publicly disclosed the breaches through Twitter, posting notifications to each university’s account alongside links demonstrating the specific vulnerable URLs exploited. For UCLA, the hacker provided evidence of unauthorized database access, including extracted user credentials, email addresses, names, and both hashed and plain-text passwords. JM511 also disclosed technical details of UCLA’s compromised systems, such as Apache and PHP versions, MySQL database configurations, and user privileges. Prior to the UCLA breach, JM511 claimed to have sent two email warnings to the institution over a week before the attack, emphasizing unaddressed vulnerabilities.
The attacks exposed authentication data and personally identifiable information from UCLA’s systems, though JM511 did not release evidence of exfiltrated data from WGU or the other named universities at the time of reporting. The hacker implied future intent to leak data from Southern Illinois University, referencing prior security deficiencies identified in a 2014 audit. JM511’s public tweets served as the primary notification method to the affected institutions, raising concerns about whether university social media teams would recognize the threats and escalate them to IT security personnel. No institutional containment measures, forensic findings, or post-incident responses were documented in the available source material regarding WGU or the broader campaign. The incidents highlighted risks associated with unpatched web applications and insufficient vulnerability management across multiple higher education networks.