Security Experts:

Northwest Florida State College Says Clever Attackers Were Successful in Data Breach

Professional, coordinated attackers with a plan, breached a server maintained by Northwest Florida State College (NWFSC) and walked off with nearly 300,000 records, and have used the information to commit at least 50 acts of identity theft, the school’s president said.

NWFSC officials reported on Monday that between May and September of this year, a server containing records on some 3,200 employees was breached. Notification using all campus email was initiated, and the staffers were told to watch for unusual patterns on their credit report.

On Wednesday, the school updated the initial report after further investigation to include the fact that data on 76,500 current and past students, as well as 200,000 Bright Future scholars across the entire state of Florida were impacted. The investigation is ongoing, with both an external expert consultant and a cybercrime investigator from the Okaloosa County Sheriff’s Office involved. NWFSC is also working with the Division of Florida Colleges in the Department of Education to notify all students impacted by the data breach.

“The integrity of the NWFSC system has been restored and there is no indication of any additional instances of compromise of personal information,” said Dr. Ty Handy, college president.

The lack of further incident is good news to be certain, but Dr. Handy’s memo to the school’s staff on the incident is both disturbing and eye opening from an Information Security perspective. If anything, it can serve as a nightmare scenario for organizations on data protection.

According to the investigation details in the memo, between May 21 and September 24 of this year, the attackers targeted a single folder on the main NWFSC server. The folder housed several files on it with personal information, but no single file had a complete set of information.

“However, by working between files, the hacker(s) have been able to piece together enough information to be able to engage in the theft of identity of at least 50 employees...by working between files, data regarding Name, Social Security Number, Date of Birth, and Direct Deposit Account numbers were accessed. Additional directory information such as address, phone numbers, college email address, etc. was also likely compromised.”

With the collected data, the attackers have used PayDayMax, Inc., as well as Discount Advance Loans (iGotit.com, Inc.), to take out loans and have them repaid from the employee’s bank account. Both pay-day loan services are located in Canada and linked to several cease and desist actions from various states, as well as consumer complains for overcharging on fees and interest. In addition, the stolen data has been used to apply for Home Depot credit cards under the employee’s name.  

“We speculate that this was a professional, coordinated attack by one or more hackers,” the memo from Dr. Handy said. 

NWFSC has also speculated that vendors (less than 40) with whom the school has used electronic funds transfers for bill payments are also at risk, but they have no proof to say one way or another. At this point, they are not willing to rule it out.

“The access pathway used to invade our main server has been sealed. We hope to know, by the end of this week precisely who had their information compromised. We will not wait 45 days to provide individual contact regarding this, instead we will notify individuals as soon as we can,” Dr. Handy added.

“I regret that this situation has occurred. It is most unfortunate,” he continued. “I applaud the quick response and hard work of the IT department to identify and close the access point and for their ongoing efforts to ferret out what and who was compromised once they became aware of the infiltration. I recognize that this is a significant hassle for those whose information is used to commit Identity Theft. I was one of the first seven or eight to be hit personally and I have spent several hours on the phone working with my bank and others to protect myself. It is not an enjoyable experience and for that I apologize.”

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.