Pacific Union College discloses ransomware attack leading to massive data breach

Pacific Union College (PUC), a private four-year college, has become the latest victim of a ransomware attack, exposing a significant trove of highly sensitive personal and financial information. The incident, attributed to the ransomware group Trigona, has raised concerns about the vulnerability of colleges to cyber threats and the potential consequences for the affected individuals.

The breach at PUC has affected 56,041 individuals, according to the Maine Attorney General’s Office. Trigona, the group behind the attack, has claimed responsibility and threatened to sell the stolen data if their ransom demands are unmet. The compromised data encompasses a wide range of confidential information, including financial account details, employee information, student records, and financial aid documents.

The stolen data reportedly includes financial account information, credit/debit card numbers, employee details such as names, addresses, Social Security numbers, and student records containing personal and financial information. Particularly concerning is the breach of Student Aid Reports (SARs), which contain detailed information about students and their families, including names, addresses, income, and taxes paid.

PUC’s response to the cyber attack has been scrutinized due to a seemingly delayed acknowledgment of the incident. On April 7, 2023, the college acknowledged ongoing cybersecurity issues, and on May 3, it confirmed the targeted ransomware attack. However, the extent of the compromise was not fully disclosed until June 9, when PUC issued a final web update.

Trigona claimed to have been negotiating with PUC for a month, providing samples and a data listing. Despite publishing redacted samples of the stolen data, PUC maintained in its June 9 update that there was no evidence of personal information compromised. PUC reported the data breach to the California Attorney General’s Office on November 7, 2023 – eight months after the attack. Victims received notifications one day later. The letter sent to victims stated that PUC only “recently” discovered unauthorized access to its network, a claim contradicting the information reported to the Maine Attorney General’s Office on October 9, 2023.