The university was informed on Tuesday afternoon that six employee payments had been rerouted to out-of-state bank accounts and a total of 17 myACU accounts had been accessed by the perpetrators.
Before Thanksgiving break, several ACU email accounts received a phishing email that, when responded to, allowed the perpetrators to attain account login credentials and use them to reroute payroll direct deposits to unauthorized bank accounts in Tennessee and Virginia.
Kevin Roberts, vice president of planning and operations, said this incident is, apparently, part of a much broader national event.
“There are about 30 other universities that we’re aware had the same thing happen to them within the same time frame. It appears to be part of a much broader effort on the criminals’ part,” said Roberts. “It wasn’t just limited to ACU.”
The amount of money diverted by the perpetrators is unclear. Roberts said he did not know how much money ACU lost, but the unauthorized accounts were immediately cashed out after the rerouting.
He said there have been phishing attempts before but not this sophisticated or targeted directly toward a university community.
“They’re usually much more generic. This was unique in that it was targeted to universities beyond just us and it was fairly sophisticated in its making,” Roberts said.
He said ACU security personnel is working with personnel at other universities as part of an on-going investigation.
ACU Police Department is actively consulting with federal law enforcement agencies.
“We’re doing preliminary work at this point and IT is working on their part,” said Lt. Randy Motz of the ACUPD. “We’re finishing up on taking statements from people who’s accounts had been compromised, things like ‘when did it happen’ and ‘when they first become aware of it’.”
Roberts confirmed that the six individuals who were affected have been paid and reimbursed. All of the 17 known individuals who were affected have been contacted individually and directly and have been made aware of the incident.
Doug Mendenhall, instructor of journalism and mass communication, said that the university notified him Monday afternoon that he was one of the six employees who did not receive the payment which should have been deposited into his account last Friday.
“In my case, they went in and changed my direct deposit information to a bank that’s in Tennessee. I had never heard of it before,” said Mendenhall. “I looked back in banner and you could see the other bank and the routing information that was listed instead of mine.”
Mendenhall said he thought the phishing email he received had good IT language and was pretty well done by standards of typical phishing emails.
The Security Fed. S&L bank located in McMinnville, Tenn., was the bank routing number that Mendenhall said his deposit was sent to. Employees answering the phones at the bank declined to comment.
Roberts said he believes the recent enforcement of password changes for all myACU users was coincidental in timing with this week’s phishing.
“We have known for a long time that we need to be more diligent about forcing password changes. We actually made that decision to force to change their passwords before the phishing attempt and those were absolute coincidence in timing,” he said.
He said the next step for the university is to continue forensic investigation of their computer files while using this incident as a reminder for everyone on campus about the importance of security.
“This is a great reminder of why it’s so important to be diligent about your passwords, that they are secure and changed routinely. If you receive an email that seems suspicious or looks odd, don’t respond to it. Call and ask the help desk,” Roberts said. “It’s a sad commentary on the world we now live in.”