Attacker steals personal data of 200K+ people with links to Arizona tech school

An Arizona tech school will send letters to 208,717 current and former students, staff, and parents whose data was exposed during a January break-in that allowed an attacker to steal nearly 50 types of personal info.

The East Valley Institute of Technology (EVIT) said a "cyber incident that involved unauthorized access to the network," which was on January 9, was the cause of the data theft.

Although EVIT didn't specify exactly what type of attack this was, the LockBit ransomware group claimed responsibility for the incident on January 19 with the tagline: "Files will be published!"

The group's website only now lists victims as far back as February, so it's not clear if EVIT's files were published as LockBit promised, although we couldn't find anything to suggest they were.

EVIT itself also said it "has not discovered any publication of EVIT data that contained sensitive information," although third party contractors determined that a trove of data was stolen.

In total, 48 different classes of data were potentially stolen. That isn't to say every impacted individual had this much stolen, but at least one or a combination of the following were compromised:

Class list

Student ID number

Date of birth

Race/ethnicity

Grades

Course schedule

Home phone number

Email address

Home address

Parent/guardian name

Transcript

IEP/504 plan

SSN

Driver's license or state ID

Financial aid information

Class rank

Place of birth

TIN

Tribal ID number

Account number

Routing number

Health insurance information

Account type

Disciplinary file

Medical information

Absence reason

Financial aid account number

Health/allergy information

Diagnosis

Patient ID number

Institution name

Health insurance policy number or subscriber number or policy number

US alien registration number

Medical record number

Treatment location

Payment card number

Mental or physical condition

Treatment type

Prescription information

Passport number

Treatment information

Username with password PIN or login information

Patient account number

Biometric data

Mental or physical treatment

Diagnosis code

Payment card type

Military ID number

Without knowing the specifics of the incident, it's impossible to say how the attackers were able to make off with such a diverse pool of data.

Digital break-ins typically include basic personal data such as names, dates of birth, and contact information, combined with a bank account number – maybe – and/or social security numbers. The worst ones might have access to medical records and full payment card information, for example, but to see this many data points compromised is a rarity.

Asked about his thoughts on how this could have unraveled, application security specialist Sean Wright told El Reg that "it's likely [due to] the scope of the breach as well as the data that they had stored."

"Most likely in other cases attackers only got access to partial data and in this case, it looks like they may have got access to all of the data. It could also be the system where the data was exposed. It could be the fact they got access to the database, versus an API. Or if they did get access to an API, that API was returning all of the information – I've seen this happen before.

"Unfortunately, it's a bit difficult to say without having the full details. We can only speculate.

"This also shows the importance of minimizing the amount of data that organizations collect and store. Organizations should only collect data that they absolutely require for their business needs."

EVIT said it's working "tirelessly" to improve its security and mitigate the risk to affected individuals.

Secure Web Gateways are anything but as infosec hounds spot dozens of bypasses If you give Copilot the reins, don't be surprised when it spills your secrets Your victim's Windows PC fully patched? Just force undo its updates and exploit away AWS 'Bucket Monopoly' attacks could allow complete account takeover

The letter to affected individuals reads: "To date, EVIT has contacted the appropriate authorities, locked down VPN access, deployed EDR software, has 24/7 monitoring for the incident, revoked privileged user access, changed all service account passwords, changed all user passwords, revoked domain trust, performed domain cleanup, and rebuilt or replaced 19 virtual servers so that none of the prior impacted servers were brought back onto the network.

"EVIT engaged a third party specializing in network security to help EVIT with adding these and other computer security protections and protocols to harden its network infrastructure and offer improved protections of sensitive data from unauthorized access. 

"Further, immediately following detection of the incident, EVIT provided email notification to all current and former students, staff, faculty, and parents with email addresses on file with EVIT. These notices were sent out of an abundance of caution, as EVIT investigated to determine by name potentially impacted individuals."

As ever with breaches like this, all of those whom the incident affects have been offered the usual 12 months of credit monitoring, and the letter sent to these individuals details how to claim it.  ®