On November 8, Pacific Union College in California notified the Maine Attorney General’s Office of a breach in March 2023 that impacted 56,041 people. Their notification, submitted by external counsel at McDonald Hopkins, indicates that the breach occurred between March 5 and March 19, 2023 and was discovered on October 9, 2023.
That discovery date is utter rubbish. Let’s dig into this one a bit deeper by consulting the redacted copy of the notification to those affected. It appears below this post.
The notification letter of November 8 states, “We recently discovered unauthorized access to our network occurred between March 5 and March 19, 2023.”
“Recently discovered?” Hardly. On June 6, 2023, DataBreaches reported:
That Pacific Union College (PUC) experienced a cyberattack is not a secret. The college even posted a notice on their website on April 7 stating that they were experiencing “Additional complications relating to the ongoing cybersecurity issue, which has recently affected some of our internal networks, phone systems, and web services. The remainder of the notice provided the status of various types of systems and services and assured the community of updates “as new information becomes available.”
But the next update on the website wasn’t until May 3, when they wrote) emphasis added by DataBreaches):
Several weeks ago, Pacific Union College experienced what we now know was a targeted ransomware attack. Federal authorities were contacted, and other cybersecurity teams were recruited to work with our IT department.
Pacific Union College had discovered the incident before April 7 and knew it was a ransomware incident by May 3.
So why are they claiming it was discovered on October 9? Because that’s when they discovered personally identifiable information was involved? If so, that, too, appears to be utter rubbish.
Once again, DataBreaches calls your attention to reporting on June 6 that, according to the threat actors, the college had negotiated with them for a month and seen samples of data. Even if the college had not seen samples of student data during the alleged negotiations, on June 6, DataBreaches published redacted examples of personal information of employees and students. On June 6, then, Pacific Union College could have and should have known personal information was involved. Not October 9. On or about June 6 at the latest.
Yet they told Maine the breach was discovered on October 9, and they told those being notified on November 8 that they had “recently discovered” a breach?
Why are entities permitted to get away with such deceptive notifications?
DataBreaches does not know whether the college will be hit with a class action lawsuit over this breach. If they are, plaintiffs’ counsel will likely find the June 6 report noteworthy.
And regardless of whether there is any class-action lawsuit, maybe the California Attorney General and the Federal Trade Commission should take a look both at the college’s risk assessment and security for personal information — including student federal financial aid forms and data that colleges are required to secure under GLBA.Pacific_Union_College