Cyber Incident Victim: Oregon State University
Date:
Sep 2020
Location:
United States of America
Summary
A cybercriminal breached an Oregon State University Ecampus server containing directory information such as email addresses, phone numbers, and mailing addresses for students and faculty, though no Social Security numbers were compromised. The university notified affected individuals, offered support services including complimentary credit monitoring, and implemented remediation measures to address the vulnerability while restoring server operations. Ongoing monitoring and additional protective steps for IT systems were pledged to safeguard sensitive data following the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 3, 2020, Oregon State University publicly disclosed an IT security incident involving unauthorized access to an Ecampus server, which hosts the university’s online education programs. A cybercriminal breached the server and potentially accessed directory information belonging to students and faculty, including email addresses, phone numbers, and mailing addresses. The university confirmed that no Social Security numbers were compromised in the attack. OSU’s investigation found no evidence that the exposed personal information had been viewed or misused, but the institution proactively notified affected individuals out of caution. Steve Clark, OSU’s Vice President for University Relations and Marketing, emphasized the seriousness with which the university treated the breach and outlined immediate response measures.
OSU promptly remediated the vulnerability that enabled the server intrusion and restored the system with enhanced security safeguards. The university offered complimentary credit monitoring services to impacted students and faculty despite the absence of confirmed data misuse, providing a dedicated phone line for inquiries during business hours. Clark stated that OSU would continue monitoring systems and implementing additional protections to secure sensitive data and IT infrastructure. No operational disruptions to Ecampus services were reported following the server’s restoration. The incident remained confined to directory information, with no broader compromise of academic, financial, or research systems identified in the university’s disclosure.