The East Valley Institute of Technology (EVIT) based in Mesa, Arizona, reported a breach impacting the records of 208,717 students across 48 personally identifiable information (PII) categories — considered by security pros to be a much larger list than in most security incidents.
Darren Guccione, co-founder and CEO at Keeper Security, pointed out that while we often hear about breaches that involve data such as names, addresses or Social Security numbers, the inclusion of additional sensitive information such as biometric data, login credentials, and military ID numbers significantly escalates the severity of this breach.
“The wide range of compromised data heightens the risk for affected individuals, exposing them to potential identity theft, fraud and unauthorized account access,” said Guccione. “The first step for potential victims is to sign up for identity theft protection services. Organizations need a tool that can alert them in real time if user information shows up on the dark web so that they can take immediate action.”
According to a filing with the Maine Attorney General’s Office, the attack on EVIT took place on Jan. 9. EVIT said the attack had a limited impact on its operations and that it has not discovered publication of any EVIT data that contained sensitive information. However, given the potential that sensitive information may have been compromised, EVIT hired a third-party to review all of the impacted files.
EVIT said to date, it has taken the following steps: contacted the appropriate authorities, locked down VPN access, deployed EDR software, has 24-7 monitoring for the incident, revoked privileged user access, changed all service account passwords, changed all user passwords, revoked domain trust, performed domain cleanup, and rebuilt or replaced 19 virtual servers so that none of the prior impacted servers were brought back onto the network.
Jason Soroko, senior vice president of product at Sectigo, said the exposure of 48 distinct categories of PII in the EVIT breach is unusually high, even for significant cybersecurity incidents. Soroko said while breaches often involve multiple types of PII, the sheer number in this case suggests either a particularly vulnerable system or a lack of adequate data segmentation and encryption practices.
“Typically, not all categories are reported unless accessed, indicating that EVIT's data was likely less protected and more accessible across multiple layers,” said Soroko. “This highlights the need for organizations to improve data compartmentalization and implement stricter controls to limit the exposure of sensitive information in the event of a breach. Organizations should limit data collection to only what’s absolutely necessary for operations and enforce strict access controls.
Tom Siu, chief information security officer at Inversion6, added that EVIT services a specific community: education and training for career development of both high school and adult students. Siu said the breadth of information affected managed in such an institution that covers both secondary education and adult career training indicates that the student information system or similar systems which support the institution suffered a compromise and possible exfiltration.
“These types of PII are going to be common for this niche institution of community college and high school overlap,” said Siu. “The extended time needed to assess the impact, between January and June 2024 is an indication of possible multiple file servers with unstructured data were affected. The challenge for cybersecurity teams in smaller institutions like EVIT is that there's going to be low investment in cybersecurity overall, while finding the balance between overhead and enrollment revenue.”