The East Valley Institute of Technology (EVIT) has suffered a “cybersecurity incident” that involved roughly 48 different categories of personally identifiable information (PII) and affected over 200,000 current and former students, faculty, and parents.
Earlier this year, on January 9th, 2024, the career training school was “the target of a cybersecurity incident.” Threat actors gained access to the network, impacting the records of 208,717 individuals.
For those individuals, a possible 48 categories of PII may have been accessed according to a breach notification letter. However, this information varies by individual and "not all of this data was potentially compromised," EVIT said.
These include:
- Class lists
- Student ID numbers
- Dates of birth
- Race/ethnicities
- Grades
- Course schedules
- Home phone numbers
- Email addresses
- Home addresses
- Parent/guardian names
- Transcripts
- Individualized education plans (IEP) or 504 plans (developed for students with disabilities)
- Social Security numbers
- Driver’s licenses or State IDs
- Financial aid information
- Class ranks
- Places of birth
- Taxpayer identification numbers
- Tribal IDs
- Account numbers
- Routing numbers
- Health insurance information
- Account types
- Disciplinary files
- Medical information
- Absence reasons
- Financial aid account numbers
- Health/allergy information
- Diagnosis
- Patient ID numbers
- Institution name
- Health insurance policy numbers, subscriber numbers, or policy numbers
- US alien registration numbers
- Medical record numbers
- Treatment locations
- Payment card numbers
- Mental or physical condition treatment types
- Prescription information
- Passport numbers
- Treatment information
- Username with password pins or login information
- Patient account numbers
- Biometric data
- Mental or physical diagnosis codes
- Payment card type
- Military ID number
In the breach notification letter, EVIT said that “this attack had limited impact on (its) operations,” and the public school district has taken steps to investigate the incident and secure its systems.
EVIT reported the incident to “the three largest nationwide consumer reporting agencies and appropriate authorities.” The career training school also claimed to have contained and remediated the threat.
The institution also employed third-party experts and conducted a full investigation of the incident, which was concluded recently. EVIT said that it hadn’t observed the publication of any of the personally identifiable information.
“EVIT is working tirelessly to improve security and mitigate risk. To date, EVIT has contacted the appropriate authorities, locked down VPN Access, deployed EDR software, has 24x7 monitoring for the incident, revoked Parent or Guardian of privileged user access, changed all service account passwords, changed all user passwords, revoked domain trust, performed domain cleanup, and rebuilt or replaced nineteen virtual servers so that none of the prior impacted servers were brought back onto the network,” the breach notification letter reads.
Following the conclusion of the investigation, EVIT has posted a website notice for impacted individuals.
Furthermore, impacted individuals can receive identity theft protection through IDX, which includes 12 months of CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed ID theft recovery services.
Your email address will not be published. Required fields are markedmarked