Employee information compromised; mandatory password change issued


Phil Scherer | Reporter
Sept. 30, 2016; 5:30 p.m.
Updated: Oct. 3, 2016; 1:30 p.m.

Eighteen employees had their personal information compromised by a phishing scheme, and a second attempt was discovered early Monday according to emails sent to Lindenwood faculty and staff.

The first incident prompted the Information Technology department to issue a mandatory password change for all employees, effective Oct. 4.

The phishing scheme was designed to steal personal information.

It typically is accomplished by sending an email that looks as if it from a legitimate organization, according to an email sent Monday by TJ Rains, vice president of Information Technology.

However, it contains a link to a fake website that replicates a real one.

The first scheme was detected when unusual activity was noted on a payroll error report, according to an earlier email. According to Rains, the abnormalities were first detected on Thursday, Sept. 29, at 2 p.m.

Lindenwood IT said at the time that it does not believe this constitutes a breach to its security system; rather, it is an isolated incident.

Those employees affected were made aware of the problem and were offered LifeLock security services at no cost, official said.

The mandatory password change officially goes into effect at 8 a.m. on Oct. 4 and is considered to be a precautionary measure.

As part of the password change, all faculty and staff will be required to change their passwords every 90 days, and each password must contain a minimum of 10 characters.

Deb Ayres, vice president of Human Resources, said in an email on Sunday that within 24 hours of the issue being discovered, the “exposure was eliminated.”

“We must use this situation to increase our attention as individuals and as an institution to be smarter and more vigilant in protecting ourselves from cyber attacks,” Ayres said.