MSSU Chief Information Officer Al Stadler told The Turner Report that the university has not come across any instances of the private information being misused.
All of those affected either have received or will receive official notifications from CO/ID Experts, the Everett, Washington, based company that is handling the situation, Stadler said.
Officials in other states where students and former stusdents may be affected have also been contacted.
The notification letter reads as follows:
We are writing to share important information about a recent incident involving Missouri Southern State University that may have affected your personal information.
On January 9, 2019, the University was alerted to a possible cybersecurity attack triggered by a phishing email. The email contained a link, which, when clicked, allowed the perpetrator to potentially copy that employee's Office 365 account.
Unfortunately, several employees fell victim to the fraudulent scheme.
As soon as it detected this attack, the University contacted law enforcement and was directed to delay notification of potentially affected individuals until its investigation was complete.
The University immediately engaged a leading, forensic investigation firm to look into the matter and undertook enhancements to its already robust IT system to block potential email exploitation, including a mass password reset of all employees' Office 365 accounts.
The University analyzed the entire contents of the impacted Office 365 accounts. The emails and attachments in the accounts contained among other things- first and last names- dates of birth, home addresses, email addresses, telephone numbers and Social Security numbers.
In late March, April and early May, the University identified emails containing personal information that may have been compromised by the attack.
In mid-May, the University confirmed that your first and last name and Social Security number were contained in the impacted accounts. Please be assured that the investigation has not uncovered any evidence of actual misuse of your personal information.
In the next portion of the message, the steps that have been taken to deal with the cyberattack were outlined:
Once the University discovered this attack, it took immediate steps to analyze and improve security and monitoring of its Office 365 accounts containing sensitive information.
As part of the investigation and remediation efforts, the University also engaged a forensics team, other cybersecurity experts, law enforcement officers and the attorney general's office.
Although it appears that the risk of harm to you is minimal as a result of this incident, the University started working straightaway to notify impacted individuals once the investigation was complete and the results were communicated with law enforcement and other regulators.
Missouri Southern State University is offering those potentially affected 24 months of free credit monitoring and $1 million in identity theft insurance and providing the information on how to sign up for those services.