Late February of this year administrators at SUNY New Paltz watched a routine electronic refund to a student bounce back from a frozen account. The rejected deposit provoked the university's IT team to investigate and reveal that 122 student payment accounts had their direct deposit information changed to suspicious bank accounts.
Further investigation revealed that phishing attacks dating back as far as January 15th had piled up over $10,000 in damages for the university. To curb further damage while mitigation efforts began the university disabled electronic refunds for students, and issued paper checks in their place. And to further protect student accounts from tampering multi-factor authentication is being rolled out for all students.
Details of this breach were gathered by a FOIL request submitted under New York State's SHIELD Act. See the full details of the breach below.