14 DAY TRIAL // For a period of about two weeks, unidentified individuals had access to personally identifiable information and financial details stored at Point Loma Nazarene University, after tricking five employees into accessing malicious content delivered via email.
The University says that the illegal access to the employees’ email accounts lasted between October 7 and October 20, giving the perp(s) access to sensitive data.
An investigation was immediately started in order to determine the type of data that was accessed and the number of individuals affected.
Personally identifiable info and card data has been exposed
According to an official communication from Chief Information Officer Corey Fing, the attacker(s) had access to names, social security numbers, dates of birth, credit card numbers, credentials, and driver’s license numbers.
However, card data may also have been accessed and it includes not just the credit card number and the expiration date but also the Card Verification Value/Code (CVV/CVC).
It is important to note that according to the Payment Card Industry Data Security Standard (PCI DSS), the CVV code should not be stored on the systems of the merchant, or the University in this case.
In combination with the card number and the expiration date, this is extremely valuable in the hands of cybercriminals since this is all the information they need to shop online, the merchandise being translated into cash at a later time.
Even if an additional security measure is enabled, such as 3D Secure, transactions can still be carried out at plenty of merchants that did not offer support for this mechanism, which means that their shopping options are limited, but not by much.
Security upgrade has been imposed
“The University takes this matter, and the security of the personal information in its care, seriously and has taken measures to ensure that this type of exposure does not occur again. The University disabled the affected accounts, changed the passwords, and ensured that they were not used to access any portions of the University’s system,” says the letter to the affected individuals.
Additional steps taken to prevent such incidents include training and instructions for the employees to be able to avoid phishing attacks. These measures may not be 100% efficient since humans can still be tricked with strong social engineering skills, but in order to upgrade the protection, the educational institution enabled two-factor authentication (2FA) for the accounts that may handle sensitive information.
To remedy the damage done by a potential leak, the University provides a free one-year membership to a service dedicated to mitigating risks resulting from identity theft incidents.
