Lakeland Community College attackers took the personal details of hundreds of thousands of individuals. It took the college nearly six months to notice those affected.
The Ohio, USA-based school has started notifying individuals whose data might have been impacted in the recent data breach.
According to the breach notice which Lakeland submitted to the Maine Attorney General, attackers roamed the college’s network for nearly three weeks between March 7th, 2023, and March 31st, 2023.
An investigation, which the school carried out together with cybersecurity consultants, determined that attackers accessed individuals’ full names and Social Security numbers (SSNs). The breach impacted 285,948 individuals.
Stolen SSNs may end up on underground criminal marketplaces, where cybercrooks can buy the data to use in whichever way they like.
It's estimated that on its own, an SSN costs up to $4 on the dark web. However, the price of a collated dataset with additional information on the individual can double the price.
Having SSNs exposed poses significant risks, as impersonators can use stolen data with names and driver’s license numbers for identity theft.
While the breach notification doesn’t indicate the nature of the attack, it could be linked to a ransomware attack by the Vice Society gang. Lakeland’s data was posted on the gang’s dark web blog.
Lakeland Community College has been a victim of ransomware before, when attackers hit the school in January 2020.
Why do cybercriminals target schools?
Ransomware attacks on educational institutions can be particularly devastating. For example, Lincoln College, established in 1865, had to close up shop after a ransomware attack disrupted the admission process.
One of the reasons that ransomware weighs heavily on educational institutions is that it takes schools and universities the longest to recover from attacks.
A Sophos survey showed that a tenth of higher education schools take over three months to recover from ransomware attacks, more than double the average time for other sectors.
Experts believe that threat actors target education institutions for two key reasons: first, schools lack strong cybersecurity defenses, and second, there’s a wealth of personal data on students in particular.
More from Cybernews:
Subscribe to our newsletter