Two-dozen student email addresses at West Virginia State University were "compromised" earlier this year, but the students weren't told that someone else might have gotten into their accounts.
WVSU's information technology department received a list in March of about 1,600 email addresses. The person who sent the list said they had been hacked by someone, according to WVSU spokeswoman Kimberly Osborne.
Osborne wouldn't say who gave the school the list or how the person got it. On the list of compromised accounts, 24 were WVSU emails and the others were a mix of Hotmail, Gmail and Yahoo accounts not associated with the school, she said.
The school never told those 24 students they appeared on the list and could have had their emails hacked into.
"We did not, and it is something that we should certainly look at in the future," Osborne said.
She maintained that there was no evidence of a data breach and that no university databases were compromised.
After the school received the list, William Porterfield, WVSU's supervisor of public safety, started an investigation. Campus Police was the only agency to investigate the issue.
Osborne said Porterfield contacted the Kanawha County Prosecuting Attorney's Office, and the on-duty prosecutor reviewed the information and concluded that there was no malicious activity and that charges would not be filed.
Don Morris, Kanawha County's lead assistant prosecutor, and others at the Prosecutor's Office said Friday they had never heard of the incident and that no one they spoke to provided any guidance on the issue.
"As a course of the investigation, there were no findings that the individual did any malicious act or anyone was harmed as a result of the situation," Osborne said. "That needs to be stressed, that yes, the email addresses were compromised, but the investigation did not find that there were any maliciousness."
Around the same time the school got the list, a student raised concerns that his or her email address had been compromised. Osborne wouldn't say if the student was one of the 24 on the list.
Google, which maintains the school's emails, is supposed to automatically contact the school when it sees any suspicious or irregular activity. The company contacted WVSU four times in March, and IT staff manually reset the account password for every email account in question, according to Osborne.
The list of compromised accounts the school received included names, email addresses and, sometimes, a "tidbit of information about the individual," Osborne said.
She said the information on the list was public information that one might find on a person's social media account and that the person who might have accessed the accounts went through a "labor-intensive" process to get the information.
Tom Bennett, WVSU's assistant vice president for university and legislative relations, sent an email to everyone at the school on March 9, telling them that Google would start requiring complex passwords for accounts in its system.
Account holders were told that, on April 4, programmers at the school would run an automatic script that would require everyone to reset their password.
Before that change, WVSU set every default password as the account holder's birthday. Knowing someone's birthday and email address means someone could easily log in - unless the account holder had changed his or her password.
"There's some personal responsibility here to develop a password, keep that password and not share that password, so there is that personal responsibility there," Osborne said. "They were encouraged to change their password from the default."
Reach Jake Jarvis at
jake.jarvis@wvgazettemail.com,
304-348-7939 or follow
@NewsroomJake on Twitter.