A former employee of Lewis & Clark College has filed a class-action lawsuit against the school, alleging a cybersecurity breach in which the school failed to take necessary security measures to protect the personal information of students and employees.
According to the lawsuit, the breach occurred on February 28, 2023, but the university did not provide individual notifications to faculty, staff, students, employees, and alumni whose personal information was compromised from late March to early April, more than a year later. No notice was sent.
The lawsuit includes failure to “timely detect” the breach of vast amounts of personally identifying information, including dates of birth, Social Security numbers, driver's license numbers and passports, medical and health insurance, and financial account numbers. Negligence is alleged. It also alleges that the university's negligence led to the invasion of privacy.
Lisa Unsworth, a Washington resident who worked at the university from 2005 to 2009, filed the lawsuit in federal court in Portland. She is seeking unspecified economic and punitive damages.
A spokesperson for Lewis & Clark College did not immediately respond to the lawsuit's allegations.
According to Lewis & Clark's website, the perpetrators published “some of Lewis & Clark's data on the 'dark web'” and first notified the university community of the security breach in March 2023. did.
“We are currently working to obtain the information and determine the extent to which sensitive personal information is included,” the website said. “While the investigation is still ongoing, out of an abundance of caution, we are now making credit monitoring services available to current students and staff at the University’s expense.”
One law school graduate shared with The Oregonian/OregonLive a letter he received from the university last month.
The university announced that it detected unauthorized access to its data network on March 3, 2023, immediately took steps to protect the network, and launched an investigation with the assistance of cybersecurity experts.
An investigation revealed that a “malicious party” stole data from the university's network on February 28, 2023.
The university said that an “extensive manual review of the data” was then conducted and that a year later it was able to determine whose personal information had been stolen, and that it had “sufficient information to identify the physical information.” We have sent notification letters to each potentially affected individual.” address. “
It is unclear how many people's personal information was compromised.
The university said it has strengthened its network and added security improvements recommended by cybersecurity experts. It also offered “free credit monitoring services” to those affected.
The complaint alleges that the 12 months of credit monitoring services provided are not sufficient.
“Unauthorized access to Plaintiffs' and Class Participants' personal information, particularly Social Security numbers, exposes Plaintiffs and the Class to identity theft indefinitely and limits the limited credit monitoring period that Defendants provided to victims of the breach.'' “It puts people at risk far beyond what they deserve,” the lawyer said. Kim D. Stevens writes in the lawsuit:
And earlier this month, the university posted a new notice on its website saying letters sent to affected people may not have been delivered because “many addresses included the wrong city.” said.
“The address has been verified as deliverable by the USPS tool that verifies addresses and zip codes. We apologize for any confusion caused by the incorrect city, but it does not affect delivery. The replaced letter will include the original The same address as in the letter will be included,” the university's website states. “We apologize for these mistakes and the inconvenience caused as a result. We would like to assure you that these errors are not the result of the work of our forensic data investigators. The letter is legitimate and , the information in the letter regarding the data accessed is accurate.”
Shortly after the university discovered the cyberattack last year, cybersecurity news group The Record reported that the cybercrime group Vice Society claimed credit for theft of documents stolen from the university, including images of documents containing passports and social security numbers. It reported that it posted a sample of the document that is said to have been published.
Lewis & Clark has not publicly condemned the Vice Society attack, but Several cybersecurity experts I posted a screenshot of the organization responsible for the breach.
The Federal Bureau of Investigation issued a warning in September 2022 that Vice Society was “unfairly targeting the education sector” with its attacks. Ransomware attacks against universities have increased in recent years, with similar trends across all business sectors, according to a report from cybersecurity group Sophos.
–Maxine Bernstein covers federal courts and criminal justice. Contact us at 503-221-8212, mbernstein@oregonian.com. Follow me on X. @maxoregonianor on LinkedIn.
Our journalism depends on your support. Subscribe to OregonLive.com today.
