Cyber Incident Victim: Graceland University
Date:
Mar 2019
Location:
United States of America
Summary
Graceland University experienced unauthorized access to multiple employee email accounts, potentially compromising personal information of individuals who had interacted with those accounts over several years. The exposed data included names, social security numbers, dates of birth, addresses, contact details, family information, salary data, and financial aid records. While the breach investigation revealed no evidence of data misuse, the university notified affected parties regarding the incident's scope and potential risks associated with the compromised sensitive information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Graceland University experienced a data breach involving unauthorized access to employee email accounts across multiple periods in March, April, and May 2019. The initial intrusion occurred on March 29, followed by additional compromises between April 1-30 and April 12-May 1, affecting accounts of current employees. During their investigation, the university determined that personal information belonging to individuals who had communicated with these email accounts over several preceding years was exposed during the periods of unauthorized access. The compromised data included full names, Social Security numbers, dates of birth, physical addresses, telephone numbers, email addresses, family member details (parents/children), salary information, and financial aid records for current or prospective students. No evidence indicated that the exposed information had been stolen or misused for malicious purposes following forensic examination of the incident.
The university publicly disclosed the breach through a notification published on June 14, 2019, alerting affected individuals about the potential exposure of their sensitive personal data. Internal investigations revealed that the attackers gained access to employee email accounts, though the specific method of initial compromise was not detailed in public communications. Graceland did not report whether law enforcement was involved in their case, unlike Missouri Southern State University which collaborated with FBI cybercrime investigators following its separate incident. The university's notification process focused on individuals whose information resided in the compromised email accounts, without specifying the total number of affected parties or whether external forensic specialists assisted their investigation. Response measures implemented by Graceland were not explicitly outlined beyond standard breach notification procedures, and the institution maintained that no fraudulent activity involving the exposed data had been detected as of their June disclosure date.