Over a two day-span in June, three US universities reported that they were hit by data breaches this year. Graceland University, Oregon State University, and Missouri Southern State University have all notified the individuals affected by the data breaches one of which may have started as early as January this year.

Sergiu Gatlan filed this report on the data breaches for bleeping computer:

Graceland University says in a notice of data breach published on June 14 that an “unauthorized user gained access to the email accounts of current employees,” on March 29, 2019, as well as “from April 1-30 and April 12-May 1, 2019, respectively.” As the university discovered during the breach investigation, “the personal information of some people who had interacted with these email accounts over the past several years was available during the time the unauthorized user(s) had access.”

Oregon State University (OSU) states in a press release that “636 student records and family records of students containing personally identifiable information were potentially affected by a data privacy incident that occurred in early May.” OSU says that a joint investigation carried out with the help of forensics specialists found that an employee’s hacked email account containing documents with the info of the 636 students and their family members was also used by the attackers to “send phishing e-mails across the nation.”

Missouri Southern State University (MSSU), the third entity which reported a breach, states in a notice of data breach sent to the Office of the Vermont Attorney General that it was alerted of a possible cyber attack triggered by a phishing email on January 9. The phishing attack made several victims among the university’s employees which prompted a law enforcement notification. The university officials were told afterward to delay notification of affected individuals until investigations are complete.