By Joshua Phelps
The Scene staff
More than 20 employees with St. Louis Community College fell victim to a phishing attack that caused a data breach for an additional 5,000 students, faculty and staff members.
“Sensitive” information such as names, phone numbers, email and home addresses, dates of birth and college A numbers were leaked, according to a Feb. 4 email from Keith Hacke, STLCC chief information officer. Social Security numbers were involved in 71 of the cases.
“Most of the compromised accounts were secured within 24 hours of the incident,” Hacke wrote. “All accounts were secured within 72 hours.”
The data breach took place on Jan. 13, according to STLCC Communications Manager Nez Savala.
“Some employees fell for a phishing incident,” she said in a phone interview. “An email was sent, and someone opened it mistakenly, and that led to (the hackers) having access to student data.”
The college had reasons for waiting three weeks to announce the data breach, Hacke said in his email.
“For example, information needed to be collected and analyzed from multiple systems to identify all of the impacted individuals and ensure the accuracy of the information that was contained in employee email accounts.”
Students, faculty and staff members affected by the data breach were alerted by mail or email, Savala said.
The news was upsetting to fine arts major Aniya Woods, 21, even though she didn’t receive a notice from the college that her privacy had been invaded.
“We’re supposed to believe our information is secure,” she said. “That’s tragic.”
Graphic communications major Edrick McDonald, 19, called the data breach “awful” and “not OK.”
Systems networking major Tia Flenor, 19, said she was “shocked” that the phishing attack was successful.
“It originated from outside the college,” said Matthew Gioia, STLCC associate director for IT security and compliance. “An account sent a phishing email to our employees. One of those accounts was compromised.”
The college is offering a credit-monitoring service free of charge to students, faculty and staff members whose Social Security numbers were leaked, Savala said.
On Feb. 12, STLCC sent an email to faculty and staff, asking them to complete online cyber-security-awareness training by March 13.
The college was already in the process of improving security for faculty, staff and student email accounts before the recent data breach happened, Savala said. Multifactor authentication, which requires users to sign in with their regular passwords, then enter randomly generated six-digit codes, went into effect Jan. 31.
“For employees who have access to the network, if we’re off-site or off-location, there are extra layers of (security) that have to be taken before we can have access to the network when we are not on STLCC property,” Savala said.
This isn’t the first time STLCC has experienced a data breach. In March 2019, the college mistakenly emailed personal information for nearly 4,000 students to Bayless School District in south St. Louis County. The district quickly deleted the email.
In March 2018, STLCC announced that the personal information of 362 students was sent to other students in an email attachment. The college located and removed the email from its system.