Cyber Incident Victim: The George Washington University
Date:
Dec 2022
Location:
United States of America
Summary
A malicious intruder accessed the university's directory, obtaining first and last names, departments, positions, email addresses, office phone numbers, and campus addresses of students, faculty, staff, and alumni. This led to phishing campaigns impersonating community members, promoting false employment opportunities, payroll updates, and insurance enrollment. Officials confirmed no sensitive personal information was compromised beyond directory data and blocked unauthorized access while initiating an investigation. The attacks exploited inactive email accounts lacking two-step authentication, enabling intruders to distribute deceptive emails but not access back-end systems or download sensitive data. Multiple alerts urged recipients to ignore suspicious messages and report them, with affected users notified directly. The incident reflects broader trends of escalating phishing attempts targeting institutional networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-December 2022, George Washington University (GW) began experiencing a series of phishing attacks targeting students, faculty, staff, and alumni. GW Information Technology (GWIT) issued multiple email alerts starting December 16, warning the community to ignore messages requesting personal information, avoid clicking suspicious links or attachments, and report fraudulent communications promising financial rewards or unexpected opportunities. These phishing attempts impersonated legitimate GW communications, promoting fake employment opportunities, payroll updates for faculty, and enrollment for 2023 insurance benefits. The attacks escalated in early February 2023 when a malicious intruder exploited inactive GW email accounts lacking two-step authentication to gain unauthorized access to the GW Directory. Through this breach, the attacker harvested first and last names, departmental affiliations, job titles, GW email addresses, office phone numbers, and campus addresses of community members. The compromised directory data enabled further phishing campaigns distributed via GW’s web portal.
GWIT confirmed no sensitive personal information—such as financial data, passwords, or Social Security numbers—was compromised during the incident. The intruder did not gain back-end access to university systems or the ability to download sensitive records. Upon detecting the breach, GWIT blocked unauthorized access, initiated an investigation, and directly notified individuals who received phishing emails. Officials emphasized that legitimate GW student hiring occurs exclusively through official channels like GW Career Services. The university implemented additional security layers, including email filters that block over 100,000 suspicious messages weekly and reinforced two-step authentication requirements. Community members were instructed to forward suspicious emails to [email protected] and direct privacy concerns to the GW Privacy Office. This incident followed prior cybersecurity challenges at GW, including a 2021 breach of commencement vendor Herff Jones that exposed student payment details, a 2021 ransomware attack disrupting GW Hospital operations, and compromises of the MyLaw and Kronos systems that leaked GWIDs, schedules, and contact information.