Cyber Incident Victim: University of Idaho
Date:
Jan 2017
Location:
United States of America
Summary
A University of Idaho employee fell victim to a phishing email appearing to originate from a legitimate institutional account, prompting them to disclose their Office 365 credentials. This compromise enabled unauthorized access to the employee's email account, which contained personal information—including names, addresses, and Social Security numbers—belonging to 257 individuals. The institution detected the malicious activity, secured the account by resetting credentials, and initiated an investigation with external cybersecurity experts. While no evidence indicated misuse of the exposed data, affected personnel were notified to facilitate protective measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 24, 2017, the University of Idaho detected unauthorized activity involving an employee’s email account being used to send phishing emails. The phishing attempt targeted another employee by directing them to a fraudulent website mimicking an Office 365 login portal, prompting the recipient to enter their email credentials. The university immediately initiated an investigation upon discovery and changed the compromised account’s passwords to prevent further unauthorized access. The investigation revealed that an attacker had potentially accessed the employee’s email account, including stored messages. The university retained an external computer security firm to assist with the expanded inquiry. While the exact method of initial account compromise was not disclosed, the incident appeared to involve multiple stages, as the phishing email originated from a legitimate university account.
The investigation confirmed that the compromised email account contained personal information belonging to 257 university employees. Exposed data included names, addresses, and Social Security numbers. The university issued notifications to all affected individuals on March 6, 2017, advising them to take protective measures despite no evidence of data misuse. The institution emphasized proactive containment efforts, including credential resets and forensic analysis, but did not disclose whether additional security controls were implemented. No further unauthorized access occurred after the initial password changes. The incident highlighted risks associated with credential phishing attacks leveraging compromised internal accounts to target other employees.