ETSU investigating ‘phishing’ attack, providing $22,000 in credit monitoring for victims

JOHNSON CITY, Tenn. -- East Tennessee State University officials are investigating a "phishing" attack, in which the email accounts of two employees were compromised and the personal information of thousands may have been accessed.

An ETSU spokesman confirmed two employees from the same department, with access to detailed personal information of thousands of members of the university's faculty and staff, clicked the fraudulent links some time around Sept. 25.

The first breach was discovered on Oct. 17. The second, using the same email sent to a different employee, was discovered on Oct. 26. Upon discovery, both accounts were immediately disabled and investigations were launched.

"We had to go through every email, email by email, line by line," Joe Smith, a spokesman for the university, said. "We wanted to do that so we know exactly the names of the persons who may have had information that could have been accessed."

It's still unclear who is behind the attack, though university officials believe the individuals were targeted because of their access to personal information of employees. The phishing email appeared to be from a fellow employee.

Among the thousands of emails contained in the two accounts was the personal information of approximately 7,700 staff and faculty members. Information included names, birthdays and social security numbers.

While the breaches only appear to have impacted faculty and staff, some students may also be at risk, officials say, if they were listed as dependents or beneficiaries.

ETSU is now reaching out to every individual impacted by the incident, including former employees. A year-long credit monitoring service will be provided at no cost to the potential victims. The university is paying around $22,000 for the service.

Ben Lawson, one of the area's foremost experts on cyber security because of his certification as an information systems security professional, says the attack on ETSU accounts has all the signs of a spear phishing attack that targets people with access to personal information.

Lawson, who works for Burk I.T. in Kingsport, says education is the best way to protect yourself, and your employer, from attacks over email.

"Make them aware of what these emails look like, that they can be very well-crafted," Lawson said. "These are professional organizations that craft these emails to fool people on a regular basis.

ETSU says they began flagging external emails a few months ago, and will now impliment a two-step login process for email access off-campus.

A hotline has also been established for victims of the breaches: (423) 439-3338