Breach Notification , Fraud Management & Cybercrime , Healthcare
Tech School Hack Affects Health, Personal Data of 209,000
East Valley Institute of Technology Is One of LockBit's Education Sector VictimsAn Arizona-based technical school is notifying nearly 209,000 current and former students, parents, guardians and faculty that their personal, health and financial information was potentially compromised in a hacking incident detected earlier this year. The attack was carried out by ransomware-as-a-service group LockBit.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
East Valley Institute of Technology, whose students include high schoolers as well as adults, told Maine's attorney general in a report filed Friday that the records of 208,717 individuals - including 12 Maine residents - were potentially affected in a Jan. 9 cyberattack on the school.
EVIT, in a sample breach notification letter filed with its report to Maine regulators, said the incident had "limited impact" on its operations.
"We promptly took corrective steps to investigate the incident, secure our systems, report the incident to the three largest nationwide consumer reporting agencies and appropriate authorities, contain and remediate the threat, and notify potentially impacted individuals," EVIT said.
"To date, EVIT has not discovered any publication of EVIT data that contained sensitive information," the school said.
LockBit encrypted EVIT's systems and demanded a ransom for a decryptor key, but EVIT did not pay the extortionists, an EVIT spokesperson told Information Security Media Group.
No EVIT data was exfiltrated in the incident, the spokesperson said.
"We are not aware of any personally identifiable information that was leaked or sold on the dark web," she said. "EVIT was able to continue to operate after the incident and cloud-based systems remained operational, but there was potential exposure of sensitive information belonging to current and former students, faculty, and parents," she said.
The school recently concluded a review of the potentially compromised data and determined it covers a wide range of information including names, class list, student ID number, date and place of birth, race/ethnicity, grades, course schedule, home phone number, email address, home address, parent and guardian name, transcript, individual education plan, Social Security number, driver's license or state ID number, class rank, tribal ID number, disciplinary files and reason for absences.
Financial information potentially affected includes payment card type, account number, routing number, financial aid and account number.
Affected health-related information includes health insurance information, medical information, diagnosis and code, mental or physical condition, treatment type and location, prescription information, allergy, patient ID and account, institution name, and medical record number.
Other potentially compromised information includes passport numbers, username with password, PIN or login information, biometric data, and military ID numbers.
Not all individuals had the same combination of information compromised, EVIT said.
Compromised Credentials
The threat actor accessed the EVIT IT environment using VPN remotely with compromised credentials, the EVIT spokesperson told ISMG.
"It was not determined if the threat adversaries brute-forced the access credentials or found the access credentials online," she said. "The third-party cybersecurity consultant conducted searches to see if the credentials were posted or offered for sale online. No evidence was found that the credentials were posted or offered for sale online."
Since the incident, EVIT said, it has taken measures to strengthen its security.
That includes locking down VPN access, deploying EDR software, implementing 24x7 monitoring for the incident, revoking all privileged user access, changing all service account passwords, changing all user passwords, revoking domain trust, performing domain cleanup and rebuilding or replacing 19 virtual servers so that none of the servers affected by the attack were brought back onto the network.
"EVIT engaged a third party specializing in network security to help EVIT with adding these and other computer security protections and protocols to harden its network infrastructure and offer improved protections of sensitive data from unauthorized access," EVIT said in its breach notification letter.
EVIT had earlier sent notifications to potentially affected individuals by sending emails to all those who had email addresses on file with the company and also by posting a notice detailing the incident on its website, the spokesperson said.
"Individuals for whom EVIT located their current physical address will be mailed physical letters this week."
EVIT is offering affected individuals 12 months of complimentary identity and credit monitoring.
Popular Targets
EVIT is among a growing group of educational institutions that cybercriminals have struck in recent months.
Organizations in the education sector are attractive targets for cybercriminals for a variety of reasons but especially due to the sensitivity of data held by these institutions, said Grayson North, senior security consultant at GuidePoint Security.
Since the beginning of 2024, GuidePoint has observed 95 organizations in the education sector that cybercriminals have publicly claimed as ransomware victims, North said.
Of these victims, 36% were claimed by LockBit, which after a dominant streak as the most prolific ransomware gang was disrupted by international law enforcement and sanctioned by the U.S. government in May, he said.
"Despite these headwinds, LockBit has shown a willingness to continue their operations," he said. "Other than LockBit, almost all established ransomware gangs have shown a willingness to attack educational facilities."
Royal rebrand BlackSuit has claimed eight so far this year, Ransom Inc has claimed seven, and the recently launched ransomware-as-a-service operation RansomHub has already claimed five, North said.
"Like any other organization, educational facilities hold a considerable amount of personally identifiable information on their employees for HR purposes. In education, the scope of this data is expanded to include students as well. Beyond the typical information gathered for admissions, an educational facility, like a university, may hold all types of student data as they may act as a student's housing, healthcare and sometimes insurance provider.
"In the modern world, this data all lives in centrally accessible database solutions meaning that once an actor has access to an institution's network, they can move laterally to put a considerable breadth of data at risk," he said.