Three U.S. universities have disclosed data breach incidents impacting personally identifiable information of students or employees following unauthorized access to some of their employees' email accounts.

All three universities — Graceland University, Oregon State University, and Missouri Southern State University — have notified the individuals whose personal information was potentially stolen or accessed about the security incidents.

In addition, no evidence has been found of the impacted personal information being stolen or used in a malicious manner while investigating the disclosed data privacy incidents involving all three universities.

Graceland University says in a notice of data breach published on June 14 that an "unauthorized user gained access to the email accounts of current employees," on March 29, 2019, as well as "from April 1-30 and April 12-May 1, 2019, respectively."

As the university discovered during the breach investigation, "the personal information of some people who had interacted with these email accounts over the past several years was available during the time the unauthorized user(s) had access."

The information that could have been accessed during the incident contained:

• full name

• social security number

• date of birth

• address

• telephone number

• email address

• parents/children

• salary information

• financial aid information for enrollment or possible enrollment at Graceland

Oregon State University (OSU) states in a press release that "636 student records and family records of students containing personally identifiable information were potentially affected by a data privacy incident that occurred in early May."

OSU says that a joint investigation carried out with the help of forensics specialists found that an employee's hacked email account containing documents with the info of the 636 students and their family members was also used by the attackers to "send phishing e-mails across the nation."

As detailed by Steve Clark, OSU's VP for university relations and marketing:

OSU is continuing to investigate this matter and determine whether the cyber attacker viewed or copied these documents with personal information.

According to Clark, the university is also reviewing the protection systems and procedures used to shield OSU's e-mail accounts and information systems.

Missouri Southern State University (MSSU), the third entity which reported a breach, states in a notice of data breach sent to the Office of the Vermont Attorney General that it was alerted of a possible cyber attack triggered by a phishing email on January 9.

The phishing attack made several victims among the university's employees which prompted a law enforcement notification. The university officials were told afterward to delay notification of affected individuals until investigations are complete.

MSSU also hired a leading forensic investigation firm to look into the security incident and to "block potential email exploitation, including a mass password reset of all employee Office 365 accounts."

After analyzing the contents of the impacted Office 365 accounts, MSSU found that the emails contained within stored "first and last names, dates of birth, home addresses, email addresses, telephone numbers, and social security numbers."

As further explained in the data breach notification send to the Vermont Attorney General by MSSU:

In late March, April, and early May, the University identified emails containing personal information that may have been compromised by the attack. In mid-May, the University confirmed that your first and last name and social security number were contained in the impacted accounts.

BleepingComputer has reached out to Graceland University, Oregon State University, and Missouri Southern State University for additional comments, but had not heard back at the time of this publication.

Update June 17: Mike Olmstead, Missouri Southern State University's Director of News Services & Messaging, sent an official statement from the university: