Cyber Incident Victim: St. Louis Community College
Date:
Jan 2020
Location:
United States of America
Summary
A phishing scam compromised personal information of over 5,100 students and employees at St. Louis Community College through targeted email attacks that breached employee email accounts. Exposed data included names, personal and work phone numbers, college and personal email addresses, dates of birth, and physical addresses, with Social Security numbers compromised for 71 individuals. The incident resulted from unauthorized access to institutional email systems via deceptive phishing campaigns.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 13, 2020, St. Louis Community College discovered a data breach resulting from a phishing scam targeting its students and employees. Cybercriminals executed a series of email phishing attacks, successfully compromising employee email accounts containing sensitive information. The breach exposed personal data belonging to more than 5,100 individuals affiliated with the college, including both staff members and students. Attackers gained unauthorized access to stored communications and attachments within the compromised email accounts, though the exact duration of their access prior to detection was not specified in available reports. College officials confirmed the incident on the same day it was identified, initiating internal investigations to assess the full scope. The phishing campaign specifically leveraged deceptive emails to trick recipients into providing credentials or enabling account access, though technical details about the phishing mechanisms were not disclosed publicly. No evidence suggested system-wide network intrusions beyond the email account compromises.
The compromised data included names, personal and work cellphone numbers, college email addresses, personal email addresses, dates of birth, and physical addresses. Among the affected individuals, 71 had their Social Security numbers accessed by the attackers, representing a subset of the total impacted population. The college did not publicly confirm whether financial information, academic records, or health data were exposed in the incident. While the breach notification confirmed the exposure of sensitive personal identifiers, no specific details were provided regarding how the compromised information was subsequently used by the threat actors or whether it appeared in illicit forums. The college spokesperson acknowledged the incident but did not disclose remediation steps taken to secure the email accounts or prevent future phishing attempts at the time of initial reporting. Affected individuals were presumably notified, though the notification timeline and any offered support services were not elaborated upon in available sources. The incident underscored vulnerabilities associated with email-based attacks targeting educational institutions.