Cyber Incident Victim: Southern College of Optometry
Date:
Jun 2018
Location:
United States of America
Summary
The Southern College of Optometry experienced a breach involving unauthorized access to an employee's email account, which contained a list of students' personal and financial data. The compromised information included names, Social Security numbers, and loan amounts, with evidence indicating the attacker forwarded the data to an external email address. While the institution found no proof of misuse following its investigation, it notified affected individuals and disclosed that the incident occurred on the same day it was discovered. The breach notification was publicly shared through regulatory channels.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 15, 2018, the Southern College of Optometry (SCO) discovered unauthorized access to an employee's email account, occurring the same day as the breach. The compromised account contained a spreadsheet listing students who had received loans, including their full names, loan amounts, and Social Security numbers. Investigators determined the attacker forwarded the email containing this sensitive data to an external third-party address. SCO immediately notified students about the breach via email on the day of discovery, June 15, though the full scope of compromised information was not yet confirmed at that initial stage. The college launched an internal investigation but found no evidence of actual misuse of the stolen data.
President Lewis N. Reich formally detailed the incident in a notification letter dated July 16, 2018, confirming the exposure of financial aid records and Social Security numbers. The letter clarified that only students listed in the specific email attachment were affected, though SCO declined to disclose the exact number of impacted individuals. No academic records, medical information, or payment card details were involved in the breach. SCO provided breach notifications through email and posted the full letter on the Vermont Attorney General's website for public access. The U.S. Department of Education received a breach report from SCO, though details of federal oversight actions remained unresolved as of the article's publication due to pending Freedom of Information Act requests.