Princeton University on Saturday sent a message to people – including students, alumni, donors, some faculty, and parents – whose information may have been accessed during a data breach that lasted “less than 24 hours.”
The breach occurred on November 10, with the notice sent out by the week to notify the university community that their information may have been accessed by “outside actors.”
“While our investigation is ongoing, we are reaching out to you now to urge you to be alert for unusual messages that purport to come from the University. No one from Princeton University should ever call, text, or email you asking for sensitive information such as Social Security numbers, passwords, or bank information,” the notice said.
Why It Matters
Nearly 75 percent of Americans have experienced online spam or phishing attacks, according to the Pew Research Center.
Phishing involves attempts to solicit personal information from an individual, including passwords or bank account details, by using deceptive texts or emails: For example, New York state this week warned that spam messages through its official texts message updates.
The state quickly sent out a follow-up message warning residents not to reply to the previous message or call the phone number it mentioned.
What To Know
Princeton opened an investigation after discovering the incident and removing the attacker or attackers from the school’s systems, again stressing that the breach lasted under 24 hours, adding that the school believes no other systems were compromised during the attack.
The school also said it does not know what information may have been accessed, but will provide updates as the full scope of the attack becomes clearer.
The school confirmed that the compromised database did not include Social Security numbers, passwords, or financial information, and the database contained no personal information, such as names, email addresses, telephone numbers, and addresses.
However, the database may have contained information about fundraising activities and donations made to the university and “engagement activities.”
The school also revealed that the breach occurred following a phone phishing incident that targeted a school employee with “ordinary access” to the database in question. The school received no demands around the attack.
What People Are Saying
Princeton University in its notice warned, in part: “If you have any doubts about whether a communication you receive from Princeton University is legitimate, please verify its legitimacy with a known University person before clicking on any links or downloading any attachment.”
The FTC on its website warned: “While real companies might communicate with you by email, legitimate companies won’t email or text with a link to update your payment information. Phishing emails can often have real consequences for people who give scammers their information, including identity theft. And they might harm the reputation of the companies they’re spoofing.”
What Happens Next
Princeton has contacted law enforcement and is working with them, but cannot share any additional information about the investigation, which may take “several weeks” to complete.
Read the full article here
