News: 1723479908

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Attacker steals personal data of 200K+ people with links to Arizona tech school

(2024/08/12)


An Arizona tech school will send letters to 208,717 current and former students, staff, and parents whose data was exposed during a January break-in that allowed an attacker to steal nearly 50 types of personal info.

The East Valley Institute of Technology (EVIT) [1]said a "cyber incident that involved unauthorized access to the network," which was on January 9, was the cause of the data theft.

Although EVIT didn't specify exactly what type of attack this was, the [2]LockBit ransomware group claimed responsibility for the incident on January 19 with the tagline: "Files will be published!"

[3]

The group's website only now lists victims as far back as February, so it's not clear if EVIT's files were published as LockBit promised, although we couldn't find anything to suggest they were.

[4]

[5]

EVIT itself also said it "has not discovered any publication of EVIT data that contained sensitive information," although third party contractors determined that a trove of data was stolen.

In total, 48 different classes of data were potentially stolen. That isn't to say every impacted individual had this much stolen, but at least one or a combination of the following were compromised:

Class list

Student ID number

Date of birth

Race/ethnicity

Grades

Course schedule

Home phone number

Email address

Home address

Parent/guardian name

Transcript

IEP/504 plan

SSN

Driver's license or state ID

Financial aid information

Class rank

Place of birth

TIN

Tribal ID number

Account number

Routing number

Health insurance information

Account type

Disciplinary file

Medical information

Absence reason

Financial aid account number

Health/allergy information

Diagnosis

Patient ID number

Institution name

Health insurance policy number or subscriber number or policy number

US alien registration number

Medical record number

Treatment location

Payment card number

Mental or physical condition

Treatment type

Prescription information

Passport number

Treatment information

Username with password PIN or login information

Patient account number

Biometric data

Mental or physical treatment

Diagnosis code

Payment card type

Military ID number

Without knowing the specifics of the incident, it's impossible to say how the attackers were able to make off with such a diverse pool of data.

Digital break-ins typically include basic personal data such as names, dates of birth, and contact information, combined with a bank account number – maybe – and/or social security numbers. The worst ones might have access to medical records and full payment card information, for example, but to see this many data points compromised is a rarity.

[6]

Asked about his thoughts on how this could have unraveled, application security specialist Sean Wright told El Reg that "it's likely [due to] the scope of the breach as well as the data that they had stored."

"Most likely in other cases attackers only got access to partial data and in this case, it looks like they may have got access to all of the data. It could also be the system where the data was exposed. It could be the fact they got access to the database, versus an API. Or if they did get access to an API, that API was returning all of the information – I've seen this happen before.

"Unfortunately, it's a bit difficult to say without having the full details. We can only speculate.

[7]

"This also shows the importance of minimizing the amount of data that organizations collect and store. Organizations should only collect data that they absolutely require for their business needs."

EVIT said it's working "tirelessly" to improve its security and mitigate the risk to affected individuals.

[8]Secure Web Gateways are anything but as infosec hounds spot dozens of bypasses

[9]If you give Copilot the reins, don't be surprised when it spills your secrets

[10]Your victim's Windows PC fully patched? Just force undo its updates and exploit away

[11]AWS 'Bucket Monopoly' attacks could allow complete account takeover

The letter to affected individuals reads: "To date, EVIT has contacted the appropriate authorities, locked down [12]VPN access, deployed [13]EDR software , has 24/7 monitoring for the incident, revoked privileged user access, changed all service account passwords, changed all user [14]passwords , revoked domain trust, performed domain cleanup, and rebuilt or replaced 19 virtual servers so that none of the prior impacted servers were brought back onto the network.

"EVIT engaged a third party specializing in network security to help EVIT with adding these and other computer security protections and protocols to harden its network infrastructure and offer improved protections of sensitive data from unauthorized access.

"Further, immediately following detection of the incident, EVIT provided email notification to all current and former students, staff, faculty, and parents with email addresses on file with EVIT. These notices were sent out of an abundance of caution, as EVIT investigated to determine by name potentially impacted individuals."

As ever with breaches like this, all of those whom the incident affects have been offered the usual 12 months of credit monitoring, and the letter sent to these individuals details how to claim it. ®

Get our [15]Tech Resources



[1] https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/e1ddfb24-c68c-48f2-9b14-79b5bb76048d.html

[2] https://www.theregister.com/2024/07/31/five_months_after_lockbit/

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZrqGBCqe2isTVX76iqk8-wAAAE0&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrqGBCqe2isTVX76iqk8-wAAAE0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZrqGBCqe2isTVX76iqk8-wAAAE0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrqGBCqe2isTVX76iqk8-wAAAE0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZrqGBCqe2isTVX76iqk8-wAAAE0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2024/08/09/secure_web_gateways_are_anything/

[9] https://www.theregister.com/2024/08/08/copilot_black_hat_vulns/

[10] https://www.theregister.com/2024/08/08/microsoft_windows_updates/

[11] https://www.theregister.com/2024/08/07/aws_bucket_monopoly_attacks_could/

[12] https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/

[13] https://www.theregister.com/2024/07/18/russias_fin7_is_peddling_its/

[14] https://www.theregister.com/2024/04/29/uk_lays_password_legislation/

[15] https://whitepapers.theregister.com/



That is a Chinese level of data monitoring.

Tron

Although I don't see inside leg measurement and favourite sexual position, almost everything else is on there. And this is just for students?!

The more information you hold, the more of a honeypot you are. You should never store data you don't need. If you do genuinely need it, store it on a system that is not connected to the internet in any way, or better still, on paper in a file in a locked room.

You are painting a target on your back and on the back of everyone you hold data on if you demand that much data and then store it on a system connected to the internet.

It would be nice if folk in relevant positions read about this and audited the information they held, and the way they held it, erased anything they didn't need and moved the rest offline. But that never seems to happen. Maybe the fines need to be much larger, and levied upon the individuals responsible for data storage as well as the companies they work for.

Re: That is a Chinese level of data monitoring.

sitta_europea

Yeah, I like that bit about holding individuals to account.

They just hide behind limited corporate liability.

Re: That is a Chinese level of data monitoring.

sev.monster

Sorry to burst your bubble, but every higher ed school (uni, college, etc) collects and stores this information in their SIS. Whether or not it's good, it's standard practice. Much of it is required to be retained for regulatory compliance: those very same audits you want already exist and are done at least yearly or sometimes more often, but they are designed to ensure universities hold on to data as much as to safeguard it.

This was likely a direct breach of the SIS, based on the data they say was exfiltrated. Pretty much the worst thing that can happen. It's likely the systems were not connected to the Internet directly, but some API was exploited or they gained access to internal networks. Due to how these places are structured, complete isolation is not possible, and tons of APIs hook into the data at any one time. Could be a report was found on an insecure FTP sever somewhere too; it's amazing the number of cloud companies and integrations require you to dump tens of thousands of records into a CSV and push it to some FTP (no, not SFTP or FTPS, just FTP, our systems don't support anything else) site.

Hopefully it was an Ellucian product that was exploited, so we can continue to collectively shit on them as an industry.

Re: That is a Chinese level of data monitoring.

Anonymous Coward

Yeah, and until the 1990's your student ID was your SSN (or other national ID number for foreign students).

Re: burst your bubble

Snake

They certainly do *not* need to know your:

Medical record number

Treatment location

Treatment type

Prescription information

Treatment information

Patient account number

Mental or physical treatment

Diagnosis code

and I'm reasonably sure that their breach, with that level of information, flagrantly violates HIPAA and they should be sued for retaining this data with the obvious level of rotten data security. I'd LOVE to see that, they have no right to extremely personal medical details just because you attend a class there.

"This is lemma 1.1. We start a new chapter so the numbers all go back to
one."
-- Prof. Seager, C&O 351