A University of Alaska employee fell for the well-worn "Nigerian prince" email scam, leading to a data breach at the university's Mat-Su campus but one in which hackers didn't appear to steal any private information, including thousands of names and Social Security numbers, university officials said.
UA announced the data breach in a prepared statement earlier this week, several months after the university "became aware that an unknown hacker using an employee's credentials gained access to UA data systems at the Mat-Su campus."
Those systems housed the names and Social Security numbers of more than 5,400 students and staff at the campus. For some, the data also included academic transcripts, grant award amounts, addresses and phone numbers.
Even though the hacker could obtain that information, a university investigation found no evidence that the person actually did, said Robbie Graham, UA associate vice president of public affairs and federal relations.
"As far as we can tell, the information was never accessed," she said. "So nothing ever happened as a result of the person responding to the fraudulent email."
Graham said Tuesday that the university would not release the text of the email.
"The email trail is personal, took place over a long time period, was part of a sweetheart scam and the individual was previously a fraud victim," she said.
The so-called Nigerian prince email scam is one of the longest-running Internet hustles. The people behind these often overly polite messages usually claim to be government officials or members of a Nigerian royal family.
"They offer to transfer lots of money into your bank account if you will pay the fees or 'taxes' they need to get their money," according to the Federal Trade Commission.
"These messages are the butt of late night jokes, but people still respond to them," said the FTC's webpage dedicated to the Nigerian email scam.
The "sweetheart scam" adds another layer. While Graham declined to specifically talk about the UA employee's emails, she said a "sweetheart scam" can involve "a longer-term exchange of emails where you divulge personal information or personal feelings."
"And so we established this bond and this trust and then they say, 'Hey, I saw this great thing online yesterday; you should go check out this website,'" she said.
The UA employee, using a university computer, clicked on the link to the fraudulent website provided by the scammer and logged on. The hacker was then able to gain access to the Mat-Su campus data stored on the server. The hacker also had access to the employee's address book.
"So when others started to be contacted by this phishing expedition, they then reported it to their IT expert at the Mat-Su campus, who then reported it to statewide IT, who said, 'Yikes,' " Graham said.
Graham said the breach was discovered in April and the unauthorized access was terminated on the same day. An investigation took months, she said.
The university entered into a contract of about $15,000 with ID Experts, an Oregon-based company that helps organizations manage cyber risks and data breaches. Just last week, the company sent letters to affected students and employees, Graham said.
Through ID Experts, the university is offering help to those affected, including identity theft protection.
This fall, employees and faculty will participate in Information Security Awareness training, said the UA statement.
When asked if the UA employee faced any penalties, Graham said, "Other than supreme embarrassment and mortification, I'm sure that the individual has been counseled."