Student and faculty email accounts were targeted by an email scam that came through thousands of inboxes on February 4.
The next day Dr. Diane Campbell, Vice President of Student Affairs, sent out an email to students and staff directed from the IT department explaining that the phishing scam had taken place. Dr. Campbell advised students to immediately change their account usernames and passwords.
In the email, Dr. Campbell wrote, “If you have clicked on the ‘Blue Box’ in an email, your account may be compromised, and your password may have already been reset.”
Chuck Keeler, Chief Information Officer (CIO) for IT, says that by the following Thursday, the situation was being taken care of.
“We [employees of IT] wrote rules into the email service, that we use [Microsoft] and we blocked those emails from actually being delivered out to people’s email,” Keller said.
Keeler continued, “Through that procedure, we can look at the various ways the emails were coming in, and the various ways the messages within them were being written, so we can block them ahead of time.”
However, Keeler notes that if students happened to open the email before it was blocked, there was a chance they were victims of the phishing scam. Phishing is when emails are sent out designed to look like they are from legitimate sources, but which encourage the reader to give up private information.
Shawn Slaughter, a current student and the Operations Manager of Mercer’s radio station, Viking 89, got one of the phishing emails and clicked the blue box. The warning email from Dr. Campbell arrived just three minutes later.
Slaughter says when he clicked on the blue box it asked him to input all of his personal email information, username and password. Then, after gaining access to the account, the hack sent the phony email to all of his email contacts.
Slaughter is not alone. In a survey of 50 students, 40 percent said they received the phishing email. After getting the dean’s warning, only 45 percent of the students took the time to change their passwords.
Assistant Dean of Student Services John Simone said, “I had no idea of the attack until I received the [warning] email. I could almost have been a victim myself.” Simone continued, “I receive tons of email a day, and when I received the email from the phish, I refused to open it because I was skeptical.”
This is not the first time Mercer has faced cybersecurity problems. In 2012, previous Director of Information Technology Services Susan Bowen was interviewed by The VOICE regarding a data hacking incident in August of that year, where 14,000 Mercer students’ private emails were accessed.
In the 2012 incident, the hacker had access to personal information including students’ social security numbers. Although no evidence of fraud was detected, an article was published by The Times of Trenton on October 6, 2012, that confirmed that students’ personal information “was inadvertently open to public access in the school’s computer network for as long as two years.”
Back in 2012, Susan Bowen, who was then Mercer’s Executive Director for Information and Technology Services said, “auditing the servers is something that Mercer does on a regular basis, including the day of the security breach.”
When asked about the current auditing of servers. Keller said, “I’m not entirely clear on what the auditing server is. I recall there being conversations that were had back in 2012 regarding an auditing server, but technology has changed radically at Mercer over the last few years. We have no auditing server implemented, installed or working at Mercer currently.”
Lori Ostermiller, a Medical Lab Tech student, has been hacked twice on Mercer email server. She says, “I mean it was annoying, knowing that my email wasn’t private anymore. Knowing that someone can look into my email and see everything that I had in there. Granted it is a school email and there is nothing weird in there, however, there still was no privacy between me and the professors.”
Slaughter, the radio manager, says,”[the] IT department is an outsourced department and if they were physically on campus, if they were physically here and administering the up and coming information technology to students here, they could address situations like these to the students, and that is where the help comes from.”
Assistant Dean Simone remains hopeful stating, “I believe that IT has it under control and are looking into it.”
Students have been advised by email to change their passwords and not to click on the link, but not all are convinced that ensures safety.
“I changed [my password] but I don’t think it is going to do anything, because I feel like they aren’t taking the right security measures to make sure our secure emails don’t get hacked again,” Ostermiller said.