Personal data belonging to more than 155,000 former Pierce College students and staff was leaked on the dark web after a cyberattack this summer, according to a lawsuit.
The Pierce College District is accused of failing to safeguard the sensitive details, including Social Security numbers and banking information, of people affected by the data breach. Sally McAuley, a district student in 2022 and this year, sued the district for negligence in Pierce County Superior Court in an action that her attorneys intend to be a class-action filing, court records show.
“We do not yet know what security protocols Pierce College had in place, but we know that they were insufficient to protect their students’ information,” attorney Timothy Emery said in a statement to The News Tribune.
The complaint, filed Nov. 8, “appears to mischaracterize the nature and scope of the incident,” Pierce College Chancellor and CEO Julie White said in response to an inquiry from The News Tribune, although White declined to say specifically how, citing the college’s practice of not commenting on legal matters.
“We certainly take this seriously,” she said.
Pierce College, which serves more than 13,500 students each year and has campuses in Lakewood and Puyallup, reported on Sept. 8 to the state Attorney General’s Consumer Protection Division that it identified suspicious activity within its network on July 24.
“Upon learning of this activity, Pierce took steps to secure its network and commenced an investigation,” the district’s legal counsel, Benjamin Wanger, wrote in a letter to the state agency. “The investigation found evidence of unauthorized access to Pierce’s network between July 23, 2023 and July 24, 2023, during which time certain files contained on Pierce’s servers were acquired by unauthorized actors.”
White said it would have taken “quite some time” to review all files but, based on what it could determine and acting out of “an abundance of caution,” the college sent letters on Sept. 8 notifying all people whose information may have been put into jeopardy.
The data breach affected 155,811 Washingtonians and compromised their name, Social Security and driver’s license numbers, financial and banking information and full date of birth, according to the Attorney General’s office’s data breach notification page, which tracks data as reported to it by impacted entities such as public agencies.
It was the third-largest single data breach in Washington state this year based on number of people affected, according to figures kept by the state agency, behind breaches reported by T-Mobile (772,593 people) and Shoreline Community College (400,000). In January, Pierce County said that an employee in its auditor’s office accidentally shared the last-four digits of 463,000 registered voters’ Social Security numbers with an individual who’d requested voter registration records.
The lawsuit, citing an August report from the cybersecurity publication, CyberNews.com, said that a cybercriminal organization that goes by the name of the “Rhysida gang” later posted personal information stolen from the Pierce College District on a dark web auction page.
EFFECTS OF THE BREACH
At around the time of the incident in July, the district publicly disclosed that it was investigating a “a service disruption” interrupting certain online services although not class schedules. Employee email, phones, WiFi and other network-based systems had been down. White said that all major systems were now functional and only some individual work stations needed to be potentially cleared.
McAuley received her notice from the district in October that her personal information had been exposed, according to the lawsuit.
Since the breach, McAuley has seen a “substantial uptick” in spam calls and emails from someone pretending to be a mortgage company and seeking to get more of her personal information, the lawsuit said. An individual tried to use her and her husband’s credit and debit cards in September to submit a Venmo request in their name, resulting in the cards being canceled by McAuley’s bank.
“Plaintiff McAuley is very concerned about identity theft and fraud, as well as the consequences of such identity theft and fraud resulting from the Data Breach,” the lawsuit said. “In fact, many victims of the Data Breach have already experienced harms as a result of the Data Breach, including, but not limited to, identity theft, financial fraud, tax fraud, unauthorized lines of credit opened in their names, medical and healthcare fraud, and unauthorized access to their bank accounts.”
The suit, which is seeking unspecified damages and to recoup legal fees, is asking the court to certify the proposed class of 150,000-plus people affected by the breach. It also asks the Pierce College District to implement certain security measures, including testing, auditing, monitoring and training. It also wants the district to delete the personal information of the plaintiff and members of the class unless the district is able to provide justification for retaining such data when weighed against privacy interests.
“Given that there are less than 5,000 full-time students enrolled there, it appears Pierce kept student data for years instead of purging or archiving it,” Emery said in an email.
The college holds onto student data in the event that students later request their transcripts, according to White, adding that retention policies vary across colleges.
RESPONDING TO THE ATTACK
In the aftermath of the breach, Pierce College worked closely with industry experts and its cybersecurity insurance provider to guide its response, White said.
White said that the district’s security measures were “on par” with other institutions of higher education, in response to a question about whether the college’s standards had been sufficient. It has since increased protections, however, including adding a layer of authentication for access to its system. White said she couldn’t divulge all changes for security reasons.
A web privacy notice on the college’s website notes that the district “has taken several steps to safeguard the integrity of its data and prevent unauthorized access” to information it maintains.
“These measures are designed and intended to prevent corruption of data, block unknown or unauthorized access to our systems and information, and to provide reasonable protection of private information in our possession,” the notice reads.
In notification letters sent to people affected by the breach, the district provided steps that parties could take and offered a free one-year Experian membership to help detect fraud and protect identity.
People may obtain a free credit report each year at AnnualCreditReport.com or by calling 1-877-322-8228.
Anyone who believes they are the victim of fraud should immediately contact the Federal Trade Commission at IdentityTheft.gov or 1-877-438-4338 and file a police report with local law enforcement, the letter said. Individuals can also contact the three nationwide credit reporting companies — Experian, Equifax and TransUnion — to place fraud alerts or credit freezes on their credit reports.
The district told anyone with questions about the incident to call 855-457-9076 between 6 a.m. to 6 p.m. on weekdays.
The lawsuit, citing the district’s web privacy notice, contended that the college had made promises to people whose data it collected that such information would remain confidential.
“We believe that institutions that hold sensitive information have a duty to keep it safe,” Emery said.
Read the original article here.