Update: Pellissippi State notifies individuals of data breach
NOTE: This incident was reported to the Maine State Attorney General’s Office as affecting 206,000 individuals.
Nice follow-up by Pellissippi State Community College in Tennessee to their initial breach disclosure in December. From their website yesterday:
Pellissippi State Community College is sending out notifications today regarding a December 2021 data security incident. That incident may have resulted in unauthorized access to, or acquisition of, some personal information of our former and current students, faculty and staff, as well as participants in Tennessee Consortium for International Studies (TNCIS) programs. Notification is being sent upon conclusion of the subsequent cyber forensics investigation.
The forensics investigation revealed that the ransomware attack was focused primarily on encrypting Pellissippi State’s data to force a ransom payment. The college’s main database and credit card payment systems were not involved in the attack, and no data from those systems was accessed by unauthorized users. However, the investigation confirmed unauthorized access to one system that included basic directory information such as names, email addresses, P numbers (internal ID numbers) and Pellissippi State passwords.
The investigation also concluded that it was impossible to determine with certainty whether any additional personally identifiable information was accessed. Therefore, Pellissippi State is urging all persons who have provided data to the college to take action to protect themselves from identity theft. Free credit monitoring is being made available to individuals potentially affected by this possible breach.
“Our students and employees entrust us with important information, and we take that responsibility very seriously,” said L. Anthony Wise Jr., president of Pellissippi State. “Unfortunately, despite our best efforts at data protection, as the investigation into the cyberattack progressed, it became clear that we could not conclude that there was no exposure of personal information. We are notifying members of the college community of this incident and want those who may have provided personal information to the college to be aware of how they can protect themselves.”
Pellissippi State has sent email notices to all individuals with email addresses in its database. This email included a code to sign up for the credit monitoring service. If you did not receive a code and believe you may have been affected or if you have questions, please contact the toll-free hotline at 1-855-604-1808 between Feb. 2 and May 2 or email [email protected]. As always, individuals should monitor activity on their online accounts and report any suspicious behavior to the appropriate authorities.
“Regrettably, attacks by cybercriminals are much more common and are an inherent risk in today’s online environment,” said Pellissippi State Chief Information Officer Audrey Williams. “As soon as this incident was discovered, our Information Services staff acted swiftly to prevent further access by the attackers to our systems. We have been working diligently to restore our online services in a way that will better defend Pellissippi State from future cyberattacks.”
The college has set up a web page at www.pstcc.edu/cyberattack with more detailed information on the event itself and how individuals can protect themselves against potential misuse of personal information.
The college did not pay the ransom demand and declined to comment on the identity of the ransomware group.
For the benefit of some readers who may not know the provisions of FERPA, the college really wouldn’t have to notify students of this breach at all — especially if it was just “directory information,” which is not protected information under FERPA. They could have just forced a password reset to deal with the password issue (the passwords were hashed, but they note that in time, they could still be cracked).
The fact that they could not determine what else might have been accessed or acquired is what makes their notification more admirable, because, still, under FERPA, even if SSN and date of birth were involved, the college still wouldn’t have to notify current or former students of the breach under FERPA. Whether they have to notify under state law is another matter, however.
Similarly, their obligation to notify current and former employees would be more of a matter under state law or any contractual obligations. The associated FAQ does not suggest that any sensitive employee data or payroll data was compromised but they recognize that other systems may have been accessed that they have not yet determined.