Attacker steals personal data of 200K+ people with links to Arizona tech school

An Arizona tech school will send letters to 208,717 current and former students, staff, and parents whose data was exposed during a January break-in that allowed an attacker to steal nearly 50 types of personal info.

The East Valley Institute of Technology (EVIT) said a "cyber incident that involved unauthorized access to the network," which was on January 9, was the cause of the data theft.

Although EVIT didn't specify exactly what type of attack this was, the LockBit ransomware group claimed responsibility for the incident on January 19 with the tagline: "Files will be published!"

The group's website only now lists victims as far back as February, so it's not clear if EVIT's files were published as LockBit promised, although we couldn't find anything to suggest they were.

EVIT itself also said it "has not discovered any publication of EVIT data that contained sensitive information," although third party contractors determined that a trove of data was stolen.

In total, 48 different classes of data were potentially stolen. That isn't to say every impacted individual had this much stolen, but at least one or a combination of the following were compromised:

• Class list

• Student ID number

• Date of birth

• Race/ethnicity

• Grades

• Course schedule

• Home phone number

• Email address

• Home address

• Parent/guardian name

• Transcript

• IEP/504 plan

• SSN

• Driver's license or state ID

• Financial aid information

• Class rank

• Place of birth

• TIN

• Tribal ID number

• Account number

• Routing number

• Health insurance information

• Account type

• Disciplinary file

• Medical information

• Absence reason

• Financial aid account number

• Health/allergy information

• Diagnosis

• Patient ID number

• Institution name

• Health insurance policy number or subscriber number or policy number

• US alien registration number

• Medical record number

• Treatment location

• Payment card number

• Mental or physical condition

• Treatment type

• Prescription information

• Passport number

• Treatment information

• Username with password PIN or login information

• Patient account number

• Biometric data

• Mental or physical treatment

• Diagnosis code

• Payment card type

• Military ID number

Without knowing the specifics of the incident, it's impossible to say how the attackers were able to make off with such a diverse pool of data.

Digital break-ins typically include basic personal data such as names, dates of birth, and contact information, combined with a bank account number – maybe – and/or social security numbers. The worst ones might have access to medical records and full payment card information, for example, but to see this many data points compromised is a rarity.

Asked about his thoughts on how this could have unraveled, application security specialist Sean Wright told El Reg that "it's likely [due to] the scope of the breach as well as the data that they had stored."

"Most likely in other cases attackers only got access to partial data and in this case, it looks like they may have got access to all of the data. It could also be the system where the data was exposed. It could be the fact they got access to the database, versus an API. Or if they did get access to an API, that API was returning all of the information – I've seen this happen before.

"Unfortunately, it's a bit difficult to say without having the full details. We can only speculate.

"This also shows the importance of minimizing the amount of data that organizations collect and store. Organizations should only collect data that they absolutely require for their business needs."

EVIT said it's working "tirelessly" to improve its security and mitigate the risk to affected individuals.

• Secure Web Gateways are anything but as infosec hounds spot dozens of bypasses
• If you give Copilot the reins, don't be surprised when it spills your secrets
• Your victim's Windows PC fully patched? Just force undo its updates and exploit away
• AWS 'Bucket Monopoly' attacks could allow complete account takeover

The letter to affected individuals reads: "To date, EVIT has contacted the appropriate authorities, locked down VPN access, deployed EDR software, has 24/7 monitoring for the incident, revoked privileged user access, changed all service account passwords, changed all user passwords, revoked domain trust, performed domain cleanup, and rebuilt or replaced 19 virtual servers so that none of the prior impacted servers were brought back onto the network.

"EVIT engaged a third party specializing in network security to help EVIT with adding these and other computer security protections and protocols to harden its network infrastructure and offer improved protections of sensitive data from unauthorized access. 

"Further, immediately following detection of the incident, EVIT provided email notification to all current and former students, staff, faculty, and parents with email addresses on file with EVIT. These notices were sent out of an abundance of caution, as EVIT investigated to determine by name potentially impacted individuals."

As ever with breaches like this, all of those whom the incident affects have been offered the usual 12 months of credit monitoring, and the letter sent to these individuals details how to claim it.  ®