Cyber Incident Victim: Clark University

In March 2018, Clark University in Massachusetts experienced a phishing incident that compromised an employee’s email account. Unauthorized individuals gained access to the account between March 19 and March 23, as determined by the university’s subsequent investigation. The breach occurred after the employee fell victim to a phishing attack, though specific details about the phishing method or initial detection timeline were not disclosed. The compromised email account contained personal information belonging to an unspecified number of students, including Social Security Numbers. The university did not publicly identify the affected employee’s department or role, nor did it describe the exact mechanism of account compromise beyond confirming phishing as the attack vector. No evidence suggested system-wide network infiltration beyond the single email account.

On July 20, 2018, Clark University began notifying impacted students via mailed letters, four months after the breach window closed. The notifications confirmed the exposure of sensitive data but emphasized no evidence of actual misuse had been identified. Affected individuals received offers for one year of complimentary credit monitoring through Experian’s Identity Works product. The university did not disclose the total number of notified students or provide specifics about the investigation’s methodology. Containment measures were implied through the termination of unauthorized access by March 23, though technical remediation steps such as password resets or multi-factor authentication implementation were not detailed. The incident’s known consequences remained limited to potential data exposure, with no confirmed cases of identity theft or financial fraud directly linked to the breach at the time of reporting.