...
If Office365 resources were accessed, the extent of data at risk is limited to what is present in email history, OneDrive, etc., as well as any third party accounts for which the SPU email address would provide access (for instance, if access to the email allows resetting the password to an online banking account).
if If Banner was accessed, then pay stub andĀ W2 information may have been exposed, including the SSN, as well as academic information (like grades) for which the faculty/staff member has access.
...