Cyber Incident Victim: Northeastern State University
Date:
May 2023
Location:
United States of America
Summary
A cybersecurity incident at Northeastern State University resulted in data being stolen from its network. The compromised information included images of personal identification such as driver's licenses, passports, Social Security numbers, and W-9 forms, as well as spreadsheets and letters. The stolen data was subsequently confirmed to have been posted on the dark web. The university is working with federal law enforcement and cyber experts to assess the full extent of the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 26, 2023, Northeastern State University (NSU) in Tahlequah, Oklahoma, experienced a cybersecurity incident that impacted its network. The university promptly alerted its students and faculty about the breach on the same day it was discovered, informing them of a disruption but initially providing limited details on the nature or scope of the event. The incident involved unauthorized access to the university's systems, which resulted in data being exfiltrated from the network.
Following the initial alert, the university engaged external cybersecurity experts to assist in investigating the breach and managing its response. These experts worked in conjunction with the university's internal IT department to analyze the compromised systems and determine what specific data was accessed and stolen. The investigation confirmed that the attackers had successfully acquired a significant quantity of sensitive institutional and personal data.
By the following Thursday, which based on the May 26 start date would have been June 1, 2023, the investigation had progressed enough for the university to release a new public statement. In this update, an NSU spokesperson confirmed that data stolen during the incident had been posted on the dark web. This confirmation indicated that the incident was a ransomware attack or another form of cyber extortion where stolen data is publicly released to pressure the victim. The data set published on the dark web was confirmed to include highly sensitive personal identification information.
The types of data exposed in the breach were detailed in the university's statement. The stolen and published information included images of personal documents such as driver's licenses and passports. It also included W-9 forms, which contain taxpayer identification numbers and other financial data, and social security numbers. Beyond these forms of personal identification, the compromised data extended to institutional documents, including spreadsheets and letters, suggesting that a broad array of the university's digital files were accessed and exfiltrated during the attack.
The university's IT department, alongside the external security consultants, continued working diligently to assess the full extent of the data that was compromised. This forensic analysis was crucial for understanding the complete impact of the incident and for fulfilling legal obligations to notify affected individuals. As part of its response, the university also involved federal law enforcement agencies, collaborating with them to investigate the attack and track the threat actors responsible.
In its June 1 statement, the university issued a recommendation to the entire NSU community, which includes students, faculty, and staff, advising them to monitor their personal data vigilantly. The primary concern was the high risk of identity theft stemming from the exposure of social security numbers, driver's licenses, and passport information. The university committed to following state and federal regulations regarding breach notifications, explicitly stating that individuals would be formally notified if it was determined that their protected information was accessed during the cyber incident.
The incident had significant consequences for the individuals whose sensitive personal information was stolen and subsequently published on the dark web. The exposure of such data creates a long-term risk of financial fraud and identity theft for those affected. For the university as an institution, the event represented a serious breach of its network security and a compromise of its duty to protect the sensitive information entrusted to it. The operational response required a substantial allocation of resources from the IT department and external experts to contain the breach, investigate its causes, and begin the process of recovery and securing systems against future attacks. The publication of the data on the dark web also damaged the university's reputation by making the severity of the breach a matter of public record. The full scope of the data compromised and the number of individuals impacted were details that remained under investigation at the time of the public statement.