The College of the Holy Cross reported the data breach to the Attorney General's Office after 7 of their employees have been discovered to give in to the demands sent by a cybercriminal in a phishing campaign.
It seems as in September 2011, an HR staff member received an email that appeared to come from the “System Administrator,” urging her to provide the username and the password of her email account. After she provided the information, the content of the account was erased.
It was later discovered that six other employees have fallen for the same scheme, in total, a number of 30,000 emails being lost.
The IT department managed to restore the erased data, but the real problem was that the tens of thousands of emails contained sensitive information belonging to a total of 493 individuals from 20 juristictions.
“Although we received no evidence that any affected individuals' personal information has been misused, all individuals receiving notification, including those in New Hampshire, are being offered one year of credit monitoring services, as well as identity fraud insurance and identity restoration assistance,” wrote the statement.
Luckily, only four people had highly sensitive information, such as social security and financial data, leaked.
It has been determined that the phishing campaigns were launched from Nigeria and Ghana, the FBI confirming that similar operations coming from Nigeria were spotted for years.
To prevent such future attempts, the Holy Cross faculty and staff were informed on such attacks and how to stay clear of them.
Hopefully, no one will suffer as a result of the breach, the necessary steps being taken to prevent an unfortunate situation. On the other hand, as I've mentioned many times before, employees in charge of other individuals' sensitive data should be more cautious when replying to suspicious requests.
Always check with your actual system administrator before applying measures that you received via an email, since you never know where a phish might come from.