On June 24, 2024, Loyola University Chicago posted notice of certain data security incidents involving student refunds and Loyola’s investigation into such incidents. The incidents involved the unauthorized change (“Unauthorized DDPI Change”) of certain student direct deposit profile information (“DDPI”) included in LOCUS by one or more unauthorized actors (“Bad Actors”).
Since the June post, Loyola has worked to develop and implement a number of additional safeguards to address the problem of Unauthorized DDPI Changes, which have continued to occur.
As a result of Unauthorized DDPI Changes, Loyola has put in place a notification system that alerts students when their DDPI has changed.
As noted in the June 2024 post, when Loyola becomes aware of student accounts where there has been an Unauthorized DDPI Change, the Information Technology Services team will continue to institute a forced reset of the passwords for such students.
Students are encouraged to stay diligent in safeguarding their Loyola credentials.
Loyola’s investigations into the Unauthorized DDPI Changes have linked such changes to phishing schemes perpetrated by one or more Bad Actors. Such schemes have also impacted other universities and colleges. In some schemes, the Bad Actor sends students a phishing email, which leads to the disclosure of the student’s LOCUS password and allows the Bad Actor to access LOCUS and change the student’s DDPI to a bank account under the Bad Actor’s control. Then, when payments are credited to the student in LOCUS, the actual funds are forwarded to the Bad Actor’s unauthorized bank account instead of the student’s account.
Loyola takes these incidents very seriously and has invested hundreds of hours in recent months to investigate such incidents and to develop and implement the safeguards described above. Loyola monitors its systems for unlawful attacks and, on an ongoing basis, implements new technologies intended to defeat such attacks and protect the personal information of Loyola faculty, staff, and students. However, Loyola is unable to monitor and prevent phishing schemes and urges all LOCUS users to be alert to such schemes.