JOHNSON CITY, TN (WJHL) — A data breach impacting employees at East Tennessee State University remains under investigation.
University officials tell News Channel 11 that two unidentified employees clicked on a link in the phishing scam that was sent to their e-mail accounts.
ETSU Spokesperson, Joe Smith, elaborated on that phishing scam e-mail Monday afternoon.
“We believe that these two employees were part of a group of employees that the e-mails were sent directly to intentionally, they clicked on the e-mail because they thought the e-mail was coming from another supervisor…so yes we do think these two employees were part of a group of employees that were intended to get this message, this is not something that went university-wide,” Smith said.
ETSU has been investigating and working to identify which staff members were affected and what information may have been exposed over the past few weeks.
We asked why there was a gap between the time the potential breach happened and when employees were informed Monday.
“We wanted to be very careful that we went through these documents very carefully, and we had a good understanding of who’s information might have been there, and who we needed to notify,” Smith said.
We also wanted to know if either of the two employees who clicked on the phishing scam e-mail were disciplined in any way.
“Well this is a personnel matter involving the two employees and that’s all I can say, but we are addressing this,” Smith said.
Those unauthorized users could have accessed the private information of 7,700 people and could include personal information like full names and social security numbers.
Smith said this notice also went out to some former and retired employees who may have been impacted. If the university did not have an e-mail address for those former employees, he said they would be notified by way of mail.
“The e-mails in one of the accounts goes back to 2013, so if that employee had a reason to have had information shared with that person around 2013, it could have been there, so again that’s why it’s kind of hard to say there wasn’t a certain time period, just depending on what was in that account,” Smith said.
ETSU officials sent this letter out to employees this morning which said in part (Click here to read it.) :
On October 17, 2018 ETSU ITS discovered that an ETSU employee clicked on a phishing email that resulted in an unauthorized person accessing here email mailbox. Immediately upon discovery, ETSU ITS disabled the employee’s email access , reset the employee’s username and password and commenced an investigation…We are notifying you, because personal information about you and/or individuals in your family, household or otherwise, was contained in one of the employee’s email mailbox. The types of information present in the email mailboxes include full name and security numbers of each individual listed below: Other information that may have been included is noted next to the individual’s name.
ETSU arranged to provide a year’s worth of free identity protection with AllClear ID for those employees impacted. They also said you can go to this website to get more information, or contact the university by way of phone at 423-439-3338.