More than 300,000 at Risk After Major Breach at Florida College

ID THREATPOST:C62B2B5D13B403A79F23F895E632AB48
Type threatpost
Reporter Anne Saita
Modified 2013-04-17T16:31:24


A security breach initially believed contained to about 50 employee records now appears to involve almost 300,000 students, faculty and employees at a Florida college.

Officials at Northwest Florida State College in Niceville today confirmed a massive data breach and hundreds of thousands of stolen records that include names, birth dates and Social Security numbers.

“We know from May 21, 2012 until September 24, 2012 one or more hackers accessed one folder on our main server,” President Ty Handy wrote in a memo to all college employees. “This folder had multiple files on it. No one file had a complete set of personal information regarding individuals. However, by working between files, the hacker(s) have been able to piece together enough information to be able to engage in the theft of identity of at least 50 employees.”

The scope of the data theft has since broadened to include sensitive records for any student in the state of Florida who was eligible for the popular Bright Futures scholarships for the 2005-06 and 2006-07 school years. Additionally, the attackers stole more than 3,000 employee records, including financial data for any employees who signed up for direct deposit since 2002. Another 76,000 records belonging to current and former students were stolen as well.

Where ID theft has been confirmed, the hackers used the information to obtain personal loans, advance loans or a Home Depot credit card.

Among the initial victims was Handy himself.

“I recognize that this is a significant hassle for those whose information is used to commit identity theft,” the president said in the memo. “I was one of the first seven or eight to be hit personally and I have spent several hours on the phone working with my bank and others to protect myself. It is not an enjoyable experience and for that I apologize.”

The school’s main campus and satellites include about 17,000 students.

State law allows organizations a 45-day window to alert victims, but Handy said campus officials decided to notify everyone well ahead of that deadline. Because of the size of the breach, local police have teamed with state and federal cybercrime experts to investigate.