Ohio Community College Data Theft Breach Affects Nearly 300KResearchers Say Breach Illustrates Why Schools Are Major Targets for Cybercriminals
An Ohio community college is notifying 290,000 people of a data theft breach this spring that may have compromised their personal, financial and health information.
In a breach notification Wednesday, Lakeland Community College did not provide any details on the attack, which occurred between March 7 and March 31, but the Vice Society ransomware group earlier this year had listed the college on its data leak website.
"This particular ransomware operation seemed to focus on the education sector - presumably because they found it to be a lucrative niche," said Brett Callow, a threat analyst at security firm Emsisoft.
While the community college breach may be relatively small, the incident illustrates why small schools such as this are now favored targets of cybercriminals, according to security researchers. In fact, a Sophos survey in June of 400 respondents in education found that about 80% of schools have reported hacking incidents, including ransomware, in the past year.
"Education traditionally struggles with lower levels of resourcing and technology than many other industries, and the data shows that adversaries are exploiting these weaknesses," Sophos said.
Lakeland Community College, based in Kirtland, Ohio, in a report filed Wednesday to the state of Maine attorney general, said an investigation into the incident had concluded Aug. 20 and determined that a variety of information was removed from the college's network, affecting 285,948 individuals, including two Maine residents.
In a breach notice posted on its website, Lakeland Community College said affected information includes individuals' full names plus one or more of the following: Social Security numbers, birthdates, driver's license numbers or state identification numbers, financial account information, credit or debit card information, passport numbers, medical information, and/or health insurance policy information.
Lakeland Community College operates a health clinic on its campus, which partners with University Hospitals, a network of 21 hospitals in northeast Ohio.
Lakeland said that to date, it is unaware of any reports of identity fraud or improper use of any information as a direct result of its incident. The college is offering complimentary identity and credit monitoring to individuals whose Social Security numbers were affected.
Security researchers say the education sector is an increasingly popular target for cybercriminals.
Overall, the education sector continues to be battered by ransomware; more school districts have been hit so far this year than were hit in the whole of last year, said Emsisoft's Callow.
When it comes to K-12 school districts, Emsisoft counted 63 hits with ransomware in 2023 so far, and 53 of those involved district data being stolen. For all of 2022, Emsisoft counted 45 ransomware attacks on K-12 school districts, and 25 of those incidents involved data thefts, Callow said.
As the 2023-2024 school year recently kicked off, the U.S. federal government started taking measures to shore up cyber defenses in the education market, especially for the K-12 segment.
In August, the Cybersecurity and Infrastructure Security Agency said it would train 300 K-12 entities over the 2023-2024 school year and conduct approximately one K-12 cyber exercise per month this year (see: White House Pushes Cybersecurity Defense for K-12 Schools).
Also, CISA and the Department of Education have released guidance documents outlining steps to better protect educational infrastructure. The recommendations include enabling multifactor authentication, using strong and unique passwords, recognizing phishing attempts and keeping software updated.
The Federal Communications Commission has proposed a $200 million program to use the Universal Service Fund to strengthen the cyber defenses of school districts and public libraries.
Last year, the FBI was called in to respond after the Russian-speaking group Vice Society hit the Los Angeles Unified School District just as 500,000 students across thousands of schools had been slated to start classes for the 2022-2023 academic year (see: L.A. School District Confirms Student Data Leaked in Attack).
Lakeland Community College did not immediately respond to Information Security Media Group's request for additional details, including whether Vice Society was involved in its incident or if the school was reporting the incident as a HIPAA breach to federal regulators.
As of Thursday, the Lakeland Community College incident was not posted on the U.S. Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.