By Emily Williams, Assistant Features Editor
The life of a student at times can be a very hectic, stressful one. Attempting to balance classes, a checkbook, work and extracurriculars can be difficult and has the potential to take a large toll on a student’s peace of mind. Unfortunately, since the protection of sensitive data is becoming more and more of an issue for universities across the globe, students have to add the possibility of someone gaining access to their personal information to their list of stressors. We found this to be true for Murray State on Dec. 13 when news.admin sent out their second email of the year warning students, faculty and staff of a potential scam.
According to the email, a phishing email was sent through the Murray State system that was intended to trick recipients into clicking the link to a spoofed MyGate login page. 650 recipients clicked on the link and provided their MyGate username and password gave scammers access to confidential information such as their legal name, home address, grades, direct deposit information, W2 information and social security number.
Brian Purcell, Associate Chief Information Officer and Chief Security Officer at Murray State, said the email was reported to the Information Security team via firstname.lastname@example.org. Recipients whose Direct Deposit information had changed were notified to ensure they were the ones who made the change and all recipients were encouraged to change their MyGate username and password.
“Phishing emails are very common across Higher Education and the Internet in general,” Purcell said. “This particular message was better crafted than most, and the bad guys actually took the time to customize the phishing email to target the Murray State users.”
Purcell said phishing emails are normally very generic and sent to as many people as possible. He said in some instances, a more customized phishing email is created and sent to targeted communities of individuals and that the technique has been used on many organizations.
This is not just an issue at Murray State, but at other major universities across the globe. According to usatoday.com, The University of Central Florida was hit by a data breach in Feb. that affected 63,000 current and former students and staff. Their names and social security numbers were compromised when a hacker attacked the school’s computer system.
Kentucky State University, University of Virginia, University of Minnesota and Harvard University are also among those affected by data breaches in the past year, according to fightingidentitycrimes.com.
“We are working on security features for MyGate that will be implemented in the near future,” Purcell said. “We will also be modifying the Direct Deposit functionality for MyGate to send an email when information is changed.”
Purcell also said they have made changes to the server infrastructure to allow for better logging of MyGate sessions.
Keith Weber, Chief Information Officer at Murray State, said raising public awareness is key to helping identify these attacks.
“I am so proud of the quick and proactive steps taken first by a faculty member then by members of Information Systems and Accounting & Finance to successfully mitigate the risk of this phishing email,” Weber said.
He said these phishing emails continue to get more and more elaborate.
“We all need to increase our awareness and knowledge of how to quickly identify and respond to these attacks,” Weber said.