Data Breach at East Valley Institute of Technology Sparks Legal Action
In January 2024, a sophisticated cyber intrusion compromised the IT framework of the East Valley Institute of Technology (EVIT), resulting in the theft of personal data pertaining to more than 200,000 current and former students and employees.
Currently, two class-action lawsuits are advancing through the Maricopa County Superior Court against the Mesa-based vocational educational institution related to this egregious data breach.
One of the lawsuits alleges that the malicious act was orchestrated by a notorious criminal syndicate, LockBit, identified as the most extensively utilized ransomware variant in 2022, with its prevalence continuing into 2023, as reported by the U.S. Cybersecurity and Infrastructure Security Agency.
According to the U.S. Department of Justice, LockBit has targeted over 2,500 entities between January 2020 and July 2024, resulting in cumulative ransom payments exceeding $500 million, alongside demands in the hundreds of millions.
The U.S. Department of Education further highlighted that educational institutions encounter an average of five cyber incidents weekly, primarily due to their retention of sensitive personal data and frequently limited resources for robust cybersecurity protocols, as noted by SchoolSafety.gov.
CeCe Todd, a spokesperson for EVIT, stated that the institution did not acquiesce to any ransom demands from the cybercriminals and refrained from commenting further on the ongoing litigation.
In an email, Chris Maddux, EVIT’s Director of Information Systems, affirmed that the institution has enacted numerous upgrades to its systems following the breach.
“EVIT has collaborated with our liability insurance provider and the Arizona Department of Homeland Security Cyber Readiness Program for guidance in enhancing our cybersecurity measures,” Maddux elaborated.
Steps taken to fortify EVIT’s cybersecurity infrastructure include:
- Implementation of a new backup system.
- Deployment of an advanced endpoint protection system.
- Upgraded firewall security.
- Introduction of multi-factor authentication for all staff.
The EVIT Governing Board convened privately on August 25 to deliberate on the lawsuits, yet opted not to disclose specifics during the public session. They merely voted to empower the superintendent to advance as previously discussed.
EVIT caters to approximately 8,000 high school students across 11 school districts, such as Mesa, Gilbert, and Chandler, while also offering adult post-secondary programs.
The lawsuits, initiated by former students Hunter LaBrake and Justin Heintz—one in March and the other in December—assert that EVIT failed to adequately secure sensitive information.
Moreover, the suits contend that EVIT did not inform stakeholders of the breach within the mandated 60-day timeframe, instead delaying communication until mid-August—seven months post-incident.
Victims, including LaBrake and Heintz, reportedly received notification letters in August. The news of the breach garnered broader attention only after the victims were informed, and the Office of the Maine Attorney General publicized the matter on August 12, having been notified by EVIT.
Cybersecurity analyst Jason Soroko remarked on the unprecedented nature of the data breach, indicating that the exposure of 48 separate categories of personally identifiable information pointed to a severe lack of security measures.
EVIT asserted that upon detection of the breach, it promptly disseminated email notifications to all current and former students, staff, faculty, and parents for whom it held email addresses, sending alerts on January 12, January 24, and March 5, 2024.
As articulated in EVIT’s letter dated August 13, 2024, an alarming total of 208,717 records were deemed potentially compromised, encompassing vital identifiers such as Social Security numbers, dates of birth, and financial information.
“This incident minimally impacted our operations,” EVIT stated. “We executed immediate corrective measures to investigate, secure our systems, notify the appropriate authorities, and inform affected individuals.”
Despite assurances, LaBrake expressed skepticism regarding EVIT’s guarantees of data recovery and meaningful enhancement of data security practices.
The plaintiffs argue that the breach could have been averted had EVIT instituted timely security protocols, implying that the institution should have recognized the vulnerabilities of its electronic records.
“The negligence exhibited by EVIT in permitting this data breach is particularly unconscionable given the increasing frequency of such incidents within educational landscapes,” remarked Heintz.
A report by the Arizona Auditor General in March 2024 indicated substantial deficiencies in EVIT’s IT security, correlating the January breach with a broader context of systemic weaknesses. EVIT acknowledged these findings and committed to enacting the recommended changes.
Specific deficiencies cited included a lack of compliance with accepted industry standards and insufficient reviews of user access to critical systems.
In a follow-up report issued two months ago, the Auditor General noted that EVIT was in the process of implementing several recommendations, which included establishing a formal process for annual reviews of user access.
EVIT has also begun updating authentication measures, but has yet to formalize a process for regular assessments against recognized industry standards.
Despite enacting an annual cybersecurity awareness training policy, the report noted that only 86% of its 319 employees had completed this training for Fiscal Year 2024.
“Neglect in ensuring comprehensive security training elevates the risk of unauthorized access and data loss,” the report emphasized.
Additionally, EVIT had failed to develop a viable IT contingency plan and test it adequately until now, with a forthcoming assessment by the Auditor General’s Office planned for 24 months ahead.
A former employee, speaking anonymously, disclosed that “the perceived laxity in EVIT’s network security” was evident prior to the breach.
The lawsuits, due to EVIT’s “reckless and negligent actions,” seek not only financial damages but also mandate that the institution bolster its data security systems and extend offers of free identity theft protection for ten years, per Heintz’s request, or a lifetime, as LaBrake insisted.
Both plaintiffs are also seeking a jury trial.
Source link: Ahwatukee.com.
