Cyber thieves seem to have caught on to the fact that colleges have a treasure trove of student documents that contain highly sensitive personal and financial information but may be lacking cyber-security controls. The latest California college to report having suffered a ransomware attack is Pacific Union College (PUC), a private four-year college in Napa County, California.
According to the Maine Attorney General’s Office, 56,041 people were victims of this data breach.
Reportedly, the ransomware group Trigona has taken responsibility for the attack and was preparing to sell the data if their ransom demand was not met.
Highly Sensitive Personal and Financial Information at Risk
The data stolen has been reported to include a wide array of highly sensitive information:
- Financial Account Information or Credit/Debit Card Number (in combination with security code, access code, password, or PIN)
- Employee Information: Personnel files containing details such as names, addresses, dates of birth, photos, Social Security numbers, and employment details.
- Student Data: Records including students’ personal and financial information, as well as details of their families.
- Financial Documents: Files related to financial aid applications. According to DataBreaches.net, the ransomware group shared documents proving they had stolen Student Aid Reports (SARs).
- Family Information: SARs contain detailed personal and financial information, not just about students but also their parents – names, addresses, income, taxes paid, and more.
PUC’s Delayed Response: A Questionable Timeline
On April 7, 2023, PUC posted on its website that it was experiencing “additional complications” related to an ongoing cybersecurity issue.
On May 3, PUC provided an update that “several weeks ago, Pacific Union College experienced what we now know was a targeted ransomware attack.” While the college explained that it was diligently working to mitigate the situation, it stated, “We want to reassure you that we do not have evidence that personal information has been compromised.”
On June 6, DataBreaches.net, a cybersecurity reporting site, published an article that included an interview with Trigona.
The ransomware group claimed it had been negotiating with PUC for a month and had provided the college with samples and a listing of the stolen data. It also provided some samples to DataBreaches.net.
However, on June 9, PUC issued a final web update about this expansive breach, stating,
“To date, we are not aware of any reports of identity fraud or improper use of any information as a direct result of this incident. However, it’s crucial to note that a significant amount of data still needs to be reviewed by our cybersecurity consultants before it’s possible to determine what personal information may have been compromised. To the extent we learn that specific personal information has been compromised, we will notify those individuals directly.” (emphasis added)
Given that DataBreaches.net had already published redacted samples of the highly sensitive personal and financial data stolen from PUC by the time the college issued this statement, PUC’s statement seems significantly less than forthcoming and transparent.
On November 7, 2023 – 8 months after this attack took place – PUC finally reported this data breach to the California Attorney General’s Office, with victims being sent a notification one day later.
In a puzzling development, the letter provided to victims says that PUC only “recently” discovered there had been unauthorized access to its network.
Even more troubling, PUC appears to have reported to the Maine AG’s Office that it discovered this breach on October 9, 2023.
California Data Breach Laws Provide Protection
If you or your student received a Recent Notice of Data Breach from Pacific Union College, you might be entitled to recover your damages, obtain injunctive relief (to ensure that PUC has reasonable security practices to protect consumer data from being leaked again and notify affected people promptly and properly in the event of a breach), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.
This is because California has laws that specifically protect your personal information, such as California Civil Code Section 1798.82, which requires businesses to notify California residents about data breaches that affect them “in the most expedient time possible and without unreasonable delay.”
Student records of the type disclosed here may also be protected by the Family Educational Rights and Privacy Act (FERPA) and the Gramm-Leach-Bliley Act (GLBA).
Personal Data Held by Colleges Is an Attractive Honeypot for Hackers.
As noted by the California Cybersecurity Integration Center (Cal-CSIC), “California’s Education Sector presents a sizable target for cybercriminals… These networks often contain highly valuable research and personal information. The convoluted, multi-tiered systems, coupled with a workforce that is generally underfunded and not versed in practical cybersecurity practices, present several potential avenues of attack for cybercriminals.”
Moreover, the personal and financial data of young adults is particularly attractive to cyber-thieves because they can retain the data for years before it is used to commit identity theft or other cybercrimes.
This incident at Pacific Union College underscores the need for stronger cybersecurity and transparent communication strategies in higher education institutions.
