Attacker steals personal data of 200K+ people with links to Arizona tech school
- Reference: 1723479908
- News link: https://www.theregister.co.uk/2024/08/12/200k_with_links_to_arizona/
- Source link:
The East Valley Institute of Technology (EVIT) [1]said a "cyber incident that involved unauthorized access to the network," which was on January 9, was the cause of the data theft.
Although EVIT didn't specify exactly what type of attack this was, the [2]LockBit ransomware group claimed responsibility for the incident on January 19 with the tagline: "Files will be published!"
[3]
The group's website only now lists victims as far back as February, so it's not clear if EVIT's files were published as LockBit promised, although we couldn't find anything to suggest they were.
[4]
[5]
EVIT itself also said it "has not discovered any publication of EVIT data that contained sensitive information," although third party contractors determined that a trove of data was stolen.
In total, 48 different classes of data were potentially stolen. That isn't to say every impacted individual had this much stolen, but at least one or a combination of the following were compromised:
Class list
Student ID number
Date of birth
Race/ethnicity
Grades
Course schedule
Home phone number
Email address
Home address
Parent/guardian name
Transcript
IEP/504 plan
SSN
Driver's license or state ID
Financial aid information
Class rank
Place of birth
TIN
Tribal ID number
Account number
Routing number
Health insurance information
Account type
Disciplinary file
Medical information
Absence reason
Financial aid account number
Health/allergy information
Diagnosis
Patient ID number
Institution name
Health insurance policy number or subscriber number or policy number
US alien registration number
Medical record number
Treatment location
Payment card number
Mental or physical condition
Treatment type
Prescription information
Passport number
Treatment information
Username with password PIN or login information
Patient account number
Biometric data
Mental or physical treatment
Diagnosis code
Payment card type
Military ID number
Without knowing the specifics of the incident, it's impossible to say how the attackers were able to make off with such a diverse pool of data.
Digital break-ins typically include basic personal data such as names, dates of birth, and contact information, combined with a bank account number – maybe – and/or social security numbers. The worst ones might have access to medical records and full payment card information, for example, but to see this many data points compromised is a rarity.
[6]
Asked about his thoughts on how this could have unraveled, application security specialist Sean Wright told El Reg that "it's likely [due to] the scope of the breach as well as the data that they had stored."
"Most likely in other cases attackers only got access to partial data and in this case, it looks like they may have got access to all of the data. It could also be the system where the data was exposed. It could be the fact they got access to the database, versus an API. Or if they did get access to an API, that API was returning all of the information – I've seen this happen before.
"Unfortunately, it's a bit difficult to say without having the full details. We can only speculate.
[7]
"This also shows the importance of minimizing the amount of data that organizations collect and store. Organizations should only collect data that they absolutely require for their business needs."
EVIT said it's working "tirelessly" to improve its security and mitigate the risk to affected individuals.
[8]Secure Web Gateways are anything but as infosec hounds spot dozens of bypasses
[9]If you give Copilot the reins, don't be surprised when it spills your secrets
[10]Your victim's Windows PC fully patched? Just force undo its updates and exploit away
[11]AWS 'Bucket Monopoly' attacks could allow complete account takeover
The letter to affected individuals reads: "To date, EVIT has contacted the appropriate authorities, locked down [12]VPN access, deployed [13]EDR software , has 24/7 monitoring for the incident, revoked privileged user access, changed all service account passwords, changed all user [14]passwords , revoked domain trust, performed domain cleanup, and rebuilt or replaced 19 virtual servers so that none of the prior impacted servers were brought back onto the network.
"EVIT engaged a third party specializing in network security to help EVIT with adding these and other computer security protections and protocols to harden its network infrastructure and offer improved protections of sensitive data from unauthorized access.
"Further, immediately following detection of the incident, EVIT provided email notification to all current and former students, staff, faculty, and parents with email addresses on file with EVIT. These notices were sent out of an abundance of caution, as EVIT investigated to determine by name potentially impacted individuals."
As ever with breaches like this, all of those whom the incident affects have been offered the usual 12 months of credit monitoring, and the letter sent to these individuals details how to claim it. ®
Get our [15]Tech Resources
[1] https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/e1ddfb24-c68c-48f2-9b14-79b5bb76048d.html
[2] https://www.theregister.com/2024/07/31/five_months_after_lockbit/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZrqGBCqe2isTVX76iqk8-wAAAE0&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrqGBCqe2isTVX76iqk8-wAAAE0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZrqGBCqe2isTVX76iqk8-wAAAE0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrqGBCqe2isTVX76iqk8-wAAAE0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZrqGBCqe2isTVX76iqk8-wAAAE0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2024/08/09/secure_web_gateways_are_anything/
[9] https://www.theregister.com/2024/08/08/copilot_black_hat_vulns/
[10] https://www.theregister.com/2024/08/08/microsoft_windows_updates/
[11] https://www.theregister.com/2024/08/07/aws_bucket_monopoly_attacks_could/
[12] https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/
[13] https://www.theregister.com/2024/07/18/russias_fin7_is_peddling_its/
[14] https://www.theregister.com/2024/04/29/uk_lays_password_legislation/
[15] https://whitepapers.theregister.com/
Re: That is a Chinese level of data monitoring.
Yeah, I like that bit about holding individuals to account.
They just hide behind limited corporate liability.
Re: That is a Chinese level of data monitoring.
Sorry to burst your bubble, but every higher ed school (uni, college, etc) collects and stores this information in their SIS. Whether or not it's good, it's standard practice. Much of it is required to be retained for regulatory compliance: those very same audits you want already exist and are done at least yearly or sometimes more often, but they are designed to ensure universities hold on to data as much as to safeguard it.
This was likely a direct breach of the SIS, based on the data they say was exfiltrated. Pretty much the worst thing that can happen. It's likely the systems were not connected to the Internet directly, but some API was exploited or they gained access to internal networks. Due to how these places are structured, complete isolation is not possible, and tons of APIs hook into the data at any one time. Could be a report was found on an insecure FTP sever somewhere too; it's amazing the number of cloud companies and integrations require you to dump tens of thousands of records into a CSV and push it to some FTP (no, not SFTP or FTPS, just FTP, our systems don't support anything else) site.
Hopefully it was an Ellucian product that was exploited, so we can continue to collectively shit on them as an industry.
Re: That is a Chinese level of data monitoring.
Yeah, and until the 1990's your student ID was your SSN (or other national ID number for foreign students).
Re: burst your bubble
They certainly do *not* need to know your:
Medical record number
Treatment location
Treatment type
Prescription information
Treatment information
Patient account number
Mental or physical treatment
Diagnosis code
and I'm reasonably sure that their breach, with that level of information, flagrantly violates HIPAA and they should be sued for retaining this data with the obvious level of rotten data security. I'd LOVE to see that, they have no right to extremely personal medical details just because you attend a class there.
That is a Chinese level of data monitoring.
Although I don't see inside leg measurement and favourite sexual position, almost everything else is on there. And this is just for students?!
The more information you hold, the more of a honeypot you are. You should never store data you don't need. If you do genuinely need it, store it on a system that is not connected to the internet in any way, or better still, on paper in a file in a locked room.
You are painting a target on your back and on the back of everyone you hold data on if you demand that much data and then store it on a system connected to the internet.
It would be nice if folk in relevant positions read about this and audited the information they held, and the way they held it, erased anything they didn't need and moved the rest offline. But that never seems to happen. Maybe the fines need to be much larger, and levied upon the individuals responsible for data storage as well as the companies they work for.