Cyber Incident Victim: Oregon State University

In early May 2019, Oregon State University (OSU) experienced a data privacy incident involving unauthorized access to an employee's email account. The compromised account contained documents with personally identifiable information of 636 students and their family members. Attackers used the breached email account to send phishing emails across the United States. OSU initiated a joint investigation with forensic specialists to determine the extent of the intrusion. The university confirmed that student records and family records containing sensitive data were potentially exposed during the incident. While the investigation confirmed the email account compromise and subsequent phishing campaign, officials could not immediately verify whether attackers had viewed or copied the documents containing personal information. OSU did not publicly disclose the exact method of initial account compromise or whether multi-factor authentication was in use at the time of the breach.

The university focused its response on determining the scope of impacted individuals and analyzing potential data exposure. University officials confirmed the incident affected only one employee account but impacted hundreds of student and family records through documents stored within that account. OSU did not specify the exact types of personal information involved beyond "personally identifiable information," though the broader context of similar breaches at other universities mentioned in the same timeframe included social security numbers and contact details. The institution notified affected individuals about the potential exposure of their data but reported no evidence of malicious use of the compromised information at the time of disclosure. OSU continued investigating to determine whether the attacker had exfiltrated or misused the sensitive documents, while simultaneously addressing the phishing campaign launched from the compromised account.