Syracuse Student’s Social Security Numbers Possibly Compromised as “Unauthorized Party” Gains Access to Employee Email Account

By Ricky Sayer

SYRACUSE, N.Y. – The email account of a Syracuse University employee who had access to some student names & Social Security numbers was accessed by an “unauthorized party,” according to a letter mailed to at least three current, former, and formerly prospective Syracuse University students.

A Syracuse official confirmed in a statement to CitrusTV Tuesday evening that they recently concluded an investigation into an incident which involved “unauthorized access to an employee’s email account.” The statement did not specifically mention Social Security numbers.

The official, SU Senior Vice President of Communications Sarah Scalese, did not respond to a question Tuesday about the number of students who may have been impacted.

CitrusTV spoke with one current student who said she, along with their sister, an alumnus of SU, received letters from SU alerting them that their private information may have been compromised as part of the incident. A student who applied to SU 3 years ago, but did not end up attending the university, also told CitrusTV they received a letter.

The letter, which was reviewed by CitrusTV, said that on January 4th they discovered the SU employee’s email account contained an “email and/or attachment” which contained the person’s name and Social Security number. It’s not clear when the investigation began.

The unauthorized party had access to the account for about 5 days last September, the letter said.

“Upon learning of the incident, we immediately secured the account and launched an investigation with assistance from a computer forensics firm,” Scalese said

The university is unaware of any “misuse” of the information contained in the employee’s email account, according to the letter, which is signed by SU Senior Vice President Steven Bennet. He wrote that they don’t know if the “unauthorized party” read the emails of the SU employee.

“We sincerely regret any concern this incident may have caused,” Scalese said, adding they have taken steps to prevent further incidents from happening.

SU is providing free access to identity and privacy protection services along with listing a number of actions they can take to be vigilant.

They are also hiring additional resources for cybersecurity training, as well as providing additional training on cybersecurity and phishing for all university employees with access to personal information, according to the letter sent to the student who was impacted.

Syracuse University students regularly receive “phishing” emails from people who attempt to get students to click on links that could help a hacker gain access to either an email account or the students’ computer. The University’s Information Technology Services also regularly sends emails to students warning them about “phishing” emails.

It’s not clear the method the unauthorized party used to gain access to the account.

If you received this letter let us know, if you are comfortable, by emailing Ricky Sayer at rsayer@citrustv.net

The full first page of the letter is above.