Recently, Simpson University confirmed that the company experienced a data breach involving unauthorized access to employee email accounts. According to Simpson University, the breach resulted in the names, Social Security numbers, financial information (bank account, credit card, and debit card numbers), and protected health information of 6,175 students being compromised. On June 9, 2022, Simpson University filed official notice of the breach and sent out data breach letters to all affected parties.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Simpson University data breach, please see our recent piece on the topic here.

What We Know About the Simpson University Data Breach

According to documents filed with various state government agencies, Simpson University recently identified suspicious activity in certain employee email accounts. After detecting this activity, the University secured the affected email accounts and began working with a cybersecurity firm to investigate the incident. This investigation confirmed that an unauthorized party gained access to certain employee email accounts between July 29, 2021 and September 17, 2021.

Upon discovering the breach, Simpson University then reviewed the compromised email accounts to determine who was affected by the breach and what information was leaked. The University completed this review on February 1, 2022. While the breached information varies depending on the individual, it may include your name, date of birth, Social Security number, passport number, driver's license number, state ID number, student ID number, financial account number, debit card number, credit card number, username/email address with password, health insurance information, medical treatment and diagnosis information. The compromised accounts may also have contained information from involved students' education records, including your major and year in school.

The Simpson University data breach is believed to have impacted 6,175 current and former students.

On June 9, 2022, Simpson University sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

More Information About Simpson University

Originally founded in 1921 as Simpson Bible Institute, Simpson University is currently a private, Christian university in Redding, California. Simpson University offers a wide range of majors and minors, including biology, business administration, communication, history, liberal studies, mathematics, outdoor leadership, political science, and psychology. The University is also home to the Betty M. Dean School of Nursing, School of Adult Studies, School of Graduate Professional Studies, and the A.W. Tozer Theological Seminary. Simpson University has approximately 700 undergraduate students, 100 graduate students, and 125 faculty on staff.

How Do Hackers Obtain Access to Employee Email Accounts?

While Simpson University released a decent amount of information surrounding the recent breach, the University did not get into how the unauthorized party was able to gain access to the employee email accounts. While this information cannot be confirmed until the University releases additional details about the data breach, there are a few ways that hackers can access employee email accounts.

Phishing

Phishing is a type of cyberattack in which a hacker sends the target a seemingly legitimate email in hopes of getting the target to provide the hacker with information or login credentials. Typically, the email looks real and comes from what appears to be a known source, such as the worker’s employer. Hackers rely on social engineering principles to “trick” the target into either providing them with their login credentials or downloading malware, usually by clicking on a malicious link. According to the Identity Theft Resource Center, in 2021, a third of all cyberattacks involved phishing. However, organizations can reduce the threat phishing attacks pose by educating employees about their risks and maintaining a robust data security system.

Brute Force Attacks

Hackers have access to databases containing previously breached username-password combinations. A brute force attack involves a hacker plugging known username-password combinations into a program that automatically tries the combinations on a large number of websites. Brute force attacks are one of the reasons why it is critical to change your password to all your online accounts after a password is compromised.

Guesswork

Have you ever had a password rejected because it contains part of your name or Social Security Number? People tend to pick the same types of passwords, often including their own information. Similarly, it is common for people to choose the same passwords, such as “password123” or “qwerty,” because they are easy to remember and type in. However, hackers also have access to databases of the most commonly used passwords. By using automated software applications, hackers can try hundreds of passwords on a site until they gain access.

Given the threats data breaches pose, companies should maintain robust data security systems that prevent these types of attacks. For example, some sites lock a user out if they guess the wrong password more than three times. There are also more complex back-end measures companies can take to reduce the likelihood of employee email accounts being compromised. Those who were recently the victim of a data breach should reach out to a data breach lawyer to learn more about their rights and how to pursue them.