On May 22, 2024, Loyola University Chicago was notified by a student that they had not received an expected refund. The student noted that their direct deposit bank account information listed in LOCUS, the University’s web-based student information system, had been changed. The student had not initiated the change and reported that certain student loan proceeds due to the student had not been received.
Loyola immediately began to investigate this incident and identified the bank and account where the student’s loan proceeds were sent. With this information, Loyola identified a second student who had been similarly impacted. Loyola also identified several other student accounts in LOCUS where the direct deposit bank account information had also been changed, but where no loan proceeds or other funds had been sent.
Loyola’s Office of the Bursar, working in cooperation with the Information Technology Services team, immediately instituted a forced reset of the passwords for the student accounts where the direct deposit account information had been changed without authorization to prevent any further unauthorized access to such student accounts. Loyola also cleared the incorrect direct deposit account information from all impacted LOCUS accounts and confirmed that such information had not been entered in LOCUS for any other student accounts. By email, Loyola advised the impacted students of the need to select a new password and enter correct direct deposit bank account information in LOCUS. Loyola also temporarily paused the funding of student loan proceeds through LOCUS, pending confirmation that any payments to students will be sent to students’ authorized bank accounts.
Loyola’s further investigation determined that the above incidents were the result of a phishing scheme perpetrated by an unauthorized third party (a “bad actor”) who contacted certain Loyola students in the spring of 2024. The bad actor sent students a phishing email, which led to an online dialogue with the impacted students, during which the students’ LOCUS password was disclosed. With this information, the bad actor accessed LOCUS and changed the direct deposit bank account information for such students to accounts that Loyola believes to have been under the bad actor’s control so that when payments due to students were credited to the student in LOCUS, the actual funds would be forwarded to such unauthorized accounts.
Loyola takes this incident very seriously and we are continuing to investigate this matter in order to institute additional safeguards to prevent any recurrence. Please be assured that Loyola is taking steps to increase information security awareness training as well as identifying additional technology measures that will strengthen our information security posture. Each day, Loyola monitors its systems for unlawful attacks and, on an ongoing basis, implements new technologies intended to defeat such attacks and protect the personal information of Loyola faculty, staff, and students.