Students and faculty notified of data breach ⚖️
On or about June 10, 2022, Napa Valley College (“NVC”) experienced a ransomware attack and data breach that locked up some online systems and caused the college to take other systems offline.
NVC began reporting that it was experiencing a “technical issue which has disrupted access” on June 10th, and continued to disseminate social media messages about the impact of the disruption and its attempts to address it through June 27th.
On June 25, 2022, Assistant Superintendent Jim Reeves said in a statement to the Napa Valley Register that NVC has historically underinvested in its IT systems, but efforts were underway to improve them prior to the ransomware attack.
Daniel Vega, the interim NVC IT director, appointed just one day prior to the cyber attack, told the Register that, “this wasn’t how I expected to spend my first day in my new position, but leadership moved quickly to address the situation and provide the support that we needed.”
The cyber-attack disrupted email for professors and staff, delayed registration for fall classes, and temporarily blocked access to financial aid.
On July 1, 2022, the Register reported that some systems were back online, and NVC was using workarounds to provide services to students. According to the Register, NVC is in the process of notifying employees and current students about the data breach and has arranged for 12 months of complimentary credit monitoring.
No further details about the nature of the cyber-attack have been shared by NVC, but the BlackByte ransomware group appears to have taken credit for the attack.
On February 11, 2022, four months before this attack, a Joint Cybersecurity Advisory was issued by the Federal Bureau of Investigation and the U.S. Secret Service entitled Indicators of Compromise Associated with BlackByte Ransomware.
The Advisory warns that, as of November 2021, BlackByte ransomware had compromised multiple U.S. and foreign businesses. The Advisory contains a list of suspicious files that are indicators of when a system has been infiltrated by BlackByte, steps that IT administrators can take to lessen the impact of a BlackByte attack should they fail to prevent the attack entirely, and additional resources.
On February 15, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) released a Notification to draw attention to the Advisory. CISA encouraged organizations to review the Advisory and apply the recommended mitigations.
Businesses Should Be Held Accountable For Data Breaches
“With ransomware groups more active than ever, it is vital that organizations stay abreast of the latest FBI advisories to avoid falling victim to these schemes and quickly recognize if they have been compromised,” explains April M. Strauss, senior California attorney and Certified Information Privacy Professional.
“Individuals who have trusted organizations with their sensitive financial and personal data deserve to have that data held securely, with the highest possible attention paid to preventing known threats.”
Special California Laws Protect You From Data Breach Harms
If you received a Notice of Data Breach from Napa Valley College, or believe you may have been impacted by the NVC ransomware attack, you may be entitled to between $100 and $1,000 plus actual damages resulting from the negligent release of your confidential information.
California has unique state laws, including the California Consumer Privacy Act (CCPA) and the California Confidentiality of Medical Information Act (CMIA) that compensate individuals whose confidential and sensitive data have been accessed in ransomware events.
Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again) and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from occurring again.
One Year Of Identity Theft Services May Not Be Enough
‣ Electronic Personal Data Doesn’t Degrade
Cybercrimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is approximately $20 depending on the type of information, according to Privacy Affairs Dark Web Index of 2021.
Certain critical types of personal information – like Social Security numbers, names, and birth dates – are impossible, or almost impossible, to change. Thieves may choose to wait years to capitalize on compromised personal data.
The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities. Thus, once you know your data has been disclosed, it is reasonable to take actions over concerns that your data will be used to cause you significant financial losses.
Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.
Steps You Can Take To Protect Yourself
- Purchase credit monitoring services
- Order and review your credit reports – you are entitled to one free report from Experian, TransUnion and Equifax annually
- Review your account statements regularly for suspicious activity
- Place a “fraud alert” with one of the three major credit bureaus
- Place a “security freeze” on your credit report
- Get an “identity protection pin” from the IRS
- Secure legal representation
What Is The Difference Between A “Credit Freeze” and A “Fraud Alert”?
A credit freeze the strongest step you can take to prevent fraudulent accounts being opened under your name. A credit freeze prevents a credit bureau from sharing your information with others. You can put a credit freeze in place with each of the three major credit bureaus by using the following links: Equifax, Experian, and Transunion.
If you put on a credit freeze, no one will be able to open new credit accounts in your name. You can still use your active credit cards with a freeze in place. It costs nothing to put a credit freeze in place, lasts indefinitely, and will not affect your credit score.
However, if your credit card information has been compromised, a credit freeze will not prevent a cyber-thief from making purchases with your stolen card. Cancelling the card and getting a new card with a different number is the only way to stop such transactions from taking place.
You can also place a fraud alert on all of your credit reports. Fraud alerts are free and are a flag for potential credit providers that you may have been a victim of identity theft. They allow you to apply for new credit cards and other forms of credit without having to unfreeze your account.
Fraud alerts can last one to seven years, and can be lifted by you at any time. Once you put a fraud alert in place at one credit bureau, it will alert the other two for you. You can put a fraud alert in place with any of the three major credit bureaus by using the following links: Equifax, Experian, and Transunion.
What Is An “Identity Protection PIN”?
An Identity Protection PIN (IP PIN) is a six-digit number issued by the U.S. Internal Revenue Service to keep other people from using your Social Security number or Individual Taxpayer Identification Number to fraudulently file a tax return.
There is an online tool for obtaining an IP PIN, and also a slower process by mail or in person at a local Taxpayer Assistance Center. An IP PIN is only good for one calendar year. At the end of the year, the IRS generates a new IP PIN for participating accounts.
More information about IP PINs can be found here.