PSC students, staff may have had personal information stolen
College offers year of credit monitoring, says it has rebuilt cyber security
PAUL SMITHS — Approximately 10,000 students, staff and potential students of Paul Smith’s College are being put on alert that some of their personal information may have been stolen by hackers who hit the college with a cyber attack during the fall semester.
According to a letter from interim college President Dan Kelting to the college community, which was obtained by the Enterprise, during the Aug. 27, 2022 breach, hackers accessed a network containing personal information including Social Security numbers and dates of birth.
The college is offering a free year of credit monitoring to anyone who may have been impacted. PSC spokesperson and Adirondack Watershed Institute Executive Director Zoe Smith says the college’s IT infrastructure has been rebuilt to “state-of-the-art standards” to prevent another security breach like this again.
Students say some of Kelting’s letters, which alerted those who could have been impacted by the breach, included incorrect information, or were addressed to the incorrect person but had the correct mailing address.
Kelting wrote in the letter that the college has “no evidence that any of your information has been or will be misused for identity theft.”
“Nevertheless, to protect you from potential misuse of your information, we are offering a complimentary one-year membership of Experian IdentityWorks,” Kelting wrote.
This consumer credit company’s 3-Bureau Credit Monitoring service tracks transactions on the three major nationwide credit reporting companies — Experian, Equifax and TransUnion — to detect possible misuse of personal information, as well as identity protection services and identity theft resolution.
Kelting’s letter explains that this service is being offered “completely free,” will not hurt credit scores an includes $1 million identity theft insurance.
He also suggested potentially impacted people take other actions, such as placing a fraud alert and/or security freeze on their credit files, obtaining a free credit report and reviewing financial account statements and credit reports for fraudulent or irregular activity on a regular basis.
Kelting said people looking to learn more can contact the college’s toll-free response line at 877-274-1631, which is available on Monday through Friday from 9 a.m. to 9 p.m.
Kelting also pointed out that under federal law, anyone is entitled to one free credit report every 12 months from each of the three major nationwide credit reporting companies — Equifax, Experian and TransUnion. Equifax had a data breach in 2017 that potentially affected 147 million people, according to the Federal Trade Commission. The company reached a $425 million settlement with the FTC in 2019.
Smith said Paul Smith’s College has worked with the Fedcap Group, an educational nonprofit the college is in the midst of working on an affiliation with, to improve its cyber security.
“Upon learning of the attack, the college immediately requested the Fedcap Group deploy their IT department to lead in the rebuilding of the college’s systems,” Smith wrote in an email. “In January 2023, an independent expert (Syracuse-based Secure Network Technologies) confirmed that the improved cyber security infrastructure of Paul Smith’s College is sound.
“There was no evidence medical information was accessed, but we collected all documents with any potential personal information for notification,” she added.
PSC student Brittany Bashaw said she was affected by the security breach, but when she got the letter, she believed it to be a fraud, so she shredded it.
“I received a letter in the mail addressed from the school, to my home address, but it wasn’t addressed to my name, it was a random name I didn’t know,” she wrote in a message to the Enterprise. “Enclosed was financial information that was similar to mine, but not exact.”
Smith said anyone who threw out or shredded a letter, believing it to be fraud, should call the college’s response line at 877-274-1631.
Bashaw said students have been angry that they’re finding out about the security breach through letters.
She said this is the only information she has been given by the college.
“The school did notify students of a security breach last fall, because all of our internet access was down for a week which affected all classes,” she wrote. “The school has not put out any information this semester about the security breach.”
“We do not believe this incident was related to any internet outage during the fall,” Smith wrote in an email.
PSC alumni Loretta Anne said she has not been personally affected by the breach, but she knows several people who have been.
“I realize it’s challenging to navigate keeping a private university in business and providing good education in 2023,” Anne wrote in a message to the Enterprise. “But to see so many compounding failures administratively, then to see that there was a massive personal information security breach that affected 10,000 or more people associated with PSC — is just sad and unacceptable.
“To all those who have been affected — do not forget your legal rights,” she added. “PSC must realize this mistake, make it right and prevent anything like this from happening again.”
Nicholas Hunt-Bull, who is now the college’s provost, was president at the time of the breach.
An attack was first reported to the college community in an email from Hunt-Bull on Aug. 28.
Smith said they do not believe the security breach was related to the internet outage last fall, but they were reported to have happened around the same time.
Hunt-Bull said this was a “major cyber-attack” which took down systems including wi-fi service on campus. For days, classes ran as usual — just on old-fashioned whiteboards and conversation.
On Sept. 13, Hunt-Bull told the campus “multiple external cybersecurity experts” had investigated the incident.
“Unauthorized actors viewed and/or acquired certain data from our systems,” Hunt-Bull wrote. “To date, we have no evidence that any of your information has been or will be misused for identity theft.”
He said if it was later determined people were affected, they would be notified.
“We are taking steps to further enhance the security of our network, including implementing an endpoint detection-and-response tool throughout the network,” Hunt-Bull wrote.
On Sept. 28, Hunt-Bull emailed out another update.
“Remaining systems are being rebuilt and/or recovered as quickly as possible,” Hunt-Bull wrote.
“Several systems or platforms have experienced a significant loss of data,” he added.
A previous version of this story included an incorrect date for when the cyberattack was discovered.