IT’s security breach compromised 1,674 accounts, and could have released harmful information to hackers. (Photo by Sam Joseph/The Ram)
On Jan. 8, a mass email was sent out to 1,674 members of the Fordham faculty, staff and student body. It was sent from the account of Diane Cuomo, an executive administrative assistant at Fordham. The email, which was entitled “Important Document,” contained a link to a Google Drive file, which asked for recipients’ my.fordham usernames and passwords.
Unfortunately for those recipients, Cuomo was not the one who had sent the email.
Her account had been compromised and used in a phishing scam, a type of online attack that has become one of the most common methods of stealing confidential data, often via email. Such scams can ultimately lead to identity theft and leakage of sensitive information. The Jan. 8 incident marked the most severe phishing case that Fordham University had ever experienced.
“[In the past] we have experienced phishing schemes, and we have experienced people who have given away their credentials,” Jason Benedict, executive director of IT said. “We have not yet…seen a high-ranking university official give away their username and password, and then have that username and password used against Fordham University…[this] is the most impactful.”
The IT department was made aware of the security breach soon after it happened, and was able to identify the problem within a few hours.
“[We] reached out to all 1,674 people saying ‘If you received this email, and you did nothing, you’re okay. If you inadvertently clicked the link, you’re still okay. If you clicked the link and gave away your credentials, you’ve been compromised, the bad guy has your username and password, please change your password,” Benedict said.
A few days later, another problem came to IT’s attention. Some of the people who had inadvertently shared their passwords had failed to change them. The number of threatened accounts was becoming exponentially larger.
“Their accounts were used against the university and compromised, flipped, and then spam went out from them,” Benedict said. “It was a growing concern.”
It also put IT in a difficult position, because there was no way to tell which passwords were safe and which had been shared. The only possible course of action was to reset the passwords of all 1,674 people who had received the email forcibly.
“We understand that it was inconvenient, but the good of the many had to outweigh the good of the few,” Benedict said.
Even though this scam was the most threatening to date, the dangers of phishing scams was on Fordham IT’s radar long before it ever became a threat.
The department launched a security awareness campaign in March 2013, with the intention of raising student and faculty awareness about scams like phishing. This was done by sending mock phishing emails to members of the Fordham community so that they would be able to differentiate between scams and legitimate emails.
“We’re sending out fake phishing scams, so it’s Fordham IT posing as somebody posing as Fordham IT,” O’Hare Hall Resident Technology Consultant Zane Larwood, FCRH ’16, said. “They want you to realize that it looks like a phishing scam and don’t click on it.”
According to Benedict, this campaign has been effective so far.
“What we were hoping to do was garnish some metrics on what the response rates were on phishing, and then adjust our technology accordingly,” he said. “We were hoping to raise folks’ awareness that these were threats that were imminent, and we do believe that it was successful because the number of folks who responded to the 1,674 was…comparatively very small to the population that received the email. However, the ones who did fall victim affected the university greatly.”
Faux phishing emails are designed to be easy to spot, but still potentially confusing for recipients who are not used to the concept of phishing.
According to David Lasco, FCRH ’16, the Tierney Hall resident technology consultant, a good rule of thumb is to be wary of any email that asks for very personal information.
“Fordham staff will never ask for a students username/password via email, so any email requesting this information is a phishing email.” Lasco said. “As long as students are aware of this, don’t provide their information, and delete the emails as soon as receiving them, then they aren’t at risk.”
Larwood agreed. “There’s generally three signs to being a phishing scam,” he said. “Number one, it’s asking for information that shouldn’t be getting asked for…Number two, they ask you to download something…The third with a phishing scam is that it just looks slightly off. There are grammar mistakes, spelling mistakes…with phishing scams, the number one thing is common sense.”
In the midst of the investigation that has followed in the wake of the security breach, IT is making a point to ensure that everyone at Fordham, especially high-ranking faculty and staff members, are aware of phishing risks. This includes seminars about scam awareness for faculty and additional resources and information available to students through Blackboard.
As far as the fake phishing emails go however, Benedict says there are no immediate plans for any more simulations, as everyone is “elevated about it because of the incident.” Now, it seems, is just too soon for any more scares.