2015 Bradley data breach perpetrator pleads guilty: Victims share experiences, university fails to follow-up

Chicago native Gdadebo Adebiyi plead guilty to one count of conspiracy to commit mail fraud Feb. 6 for his role in a March 2015 breach of the Bradley data warehouse that stored the personal information of staff and faculty, resulting in theft of over $770,000.

Adebiyi’s fraud scheme involved routing return proceeds to third-party prepaid debit cards, which he then used to purchase money orders, according to the U.S. District Attorney’s Office of Central Illinois.

Following the data breach, Bradley sent an email to campus attributing the cause of the incident to computer malware. Malware comes in a multitude of forms and is any type of malicious software that appears to perform one task but instead performs another.

Bradley information security professor Jacob Young said the type of malware that may have caused the breach could have been in the form of phishing, which are emails that contain malicious attachments.

“A prime example of what might have occurred is somebody got a phishing email who had access to [sensitive] documentation,” Young said. “Once the hacker had access to their credentials, then they could log in and access [the information] that way.”

A victim of Adebiyi’s scheme, accounting professor Simon Petravick said he attempted to file his tax return in April 2015 but received a message from the IRS telling him his taxpayer ID had already been used that year.

“I then had to complete various reports related to the identity theft,” Petravick said. “I believe reports went to the IRS, the Peoria Police Department and credit bureaus.”

Petravick said he then had to go through a special process to receive his refund, which took nearly a year to complete.

Following the incident, Petravick said Bradley offered him a free subscription to Lifelock, an identity theft protection service.

Finance professor Bill Funkhouser, who was also a victim of the scheme, said Bradley’s decision to offer a Lifelock subscription to those affected was an improper response to the event.

“To make the Lifelock system work, it puts a burden on the employee to do the monitoring,” Funkhouser said. “Second of all, a lot of employees may renew after the year is up and pay for a service that they don’t need. Bradley kind of promoted Lifelock and endorsed it. I’m not sure that was appropriate.”

Funkhouser also said there were alternative ways Bradley could have provided assurance to victims of the scheme that would not have involved a subscription to Lifelock.

“The solution is to lock down your credit report,” Funkhouser said. “It costs $10, and it’s locked down for life.”

To lock down a credit report, one has to perform a credit security freeze, which is a hold placed on the release of a person’s credit report. According to Funkhouser, this may prevent perpetrators of identity theft from opening false credit cards in the names of others.

Besides offering a free Lifelock subscription, both Funkhouser and Petravick said Bradley has not informed them of any changes in Bradley cybersecurity policy that would prevent a similar breach from happening in the future.

Director of System Integration and Security David Scuffham said part of Bradley’s cybersecurity strategy is focused on continuous improvement, but he said he was unable to comment on the security breach any further.

“We are not at liberty to comment on the 2015 security event,” Scuffham said. “The FBI’s investigation into the misuse of employee data is still ongoing.”