Posted On February 3, 2022 Consumer Privacy & Data Breaches
February 3, 2022 – Over the past few years, cybercrime has emerged as a major threat to consumers. Hackers and other criminal actors who are able to bypass an organization’s security system can often obtain sensitive consumer data that they can then use to commit identity theft or other crimes. Recently, Pellissippi State Community College (“PSSC”) announced that it experienced a data security incident stemming from a ransomware attack. As a result of the data breach, the sensitive information of as many as 206,000 individuals, including faculty, current and former students, as well as staff and participants in the Tennessee Consortium for International Studies may have been compromised.
News of the Pellissippi State College data breach just broke, and details are sparse. However, according to an official filing, between December 5-6, 2021, Pellissippi State Community College learned that an unauthorized party may have breached the school’s computer system in a ransomware attack. Although the school’s investigation is ongoing, Pellissippi State Community College confirmed that at least one of the school’s systems was compromised. As a result, personal and identifying information was accessible to the unauthorized party. The compromised information may include individuals’ PSCC username; PSCC email address; office location and phone number; job title and department; P number (a unique number the school assigns to each student and employee); General user ID number; and PSCC account password.
The data breach lawyers at Console & Associates, P.C. are investigating the Pellissippi College data security incident to determine whether affected parties have any legal claims against the school. If evidence emerges that Pellissippi State Community College failed to meet its consumer privacy and data security obligations, the institution may be liable through a data breach class action lawsuit.
Cyberattacks such as the Pellissippi College data breach are increasingly common in today’s society. Schools and businesses retain and store vast amounts of data electronically. Hackers are aware of this and regularly exploit any known vulnerabilities. Once a cybercriminal breaches a computer network, they can access and remove sensitive consumer information from the compromised systems. After a security breach, an organization can often determine that certain files were accessible to the hacker; however, they may not be able to confirm which of the compromised files were actually viewed or whether the hacker removed any of the data contained in those files. Thus, as a matter of course, organizations experiencing a data breach inform anyone whose information was compromised.
Despite the risks these security breaches present, there is a common misconception that there is little that can be done in the wake of a data breach. For those impacted by a data breach, it is essential to understand what happened, what your rights are, and how you can pursue them.
When you allowed Pellissippi State Community College access to your personal data, you trusted the school to keep your sensitive information safe. However, news of the Pellissippi State Community College data breach raises some very serious questions about the school’s data security measures in place at the time of the breach and whether the school could have done more to prevent such an attack.
Like businesses, schools also have an ethical and legal obligation to protect the sensitive student and employee information in their possession. And while creating a data security system involves a certain amount of work and expense, doing so is justified given the frequency with which these cyberattacks occur.
Under U.S. consumer privacy and data breach laws, consumers can pursue legal action against organizations that misuse or mishandle their information. Of course, news of the Pellissippi College data breach is still quite fresh, and many details about the incident are still unknown. So, at this point, it is too early to tell if Pellissippi State Community College bears any legal responsibility for the breach. However, our data breach attorneys are investigating the Pellissippi State Community College security breach and its potential causes to determine the potential legal remedies of those affected.
If you have questions about your ability to pursue a data breach class action lawsuit against Pellissippi State Community College, contact a data breach attorney as soon as possible.
If you are a student or faculty member at Pellissippi State Community College, it is possible you will receive a PSSC data breach notification in the coming weeks. If you do, it means your personal data was compromised in the recent ransomware attack. It also means that an unauthorized party may have accessed and stolen your personal data. Given the risks involved, it is important you remain vigilant by taking the following steps:
While placing a credit freeze on your accounts may initially seem like a drastic measure, according to the identity Theft Resource Center (“ITRC”), doing so is the “single most effective way to prevent a new credit/financial account from being opened.” However, IRTC reports that just 3% of consumers whose information is leaked place a freeze on their accounts.
Pellissippi State Community College is a public community college located in Hardin Valley, Tennessee. The school has five campuses, including the main campus in Hardin Valley, the Division Street Campus in Knoxville, the Magnolia Avenue Campus in East Knoxville, the Blount County Campus in Maryville, and the Strawberry Plains Campus. The student body consists of approximately 10,000 students, and the school employs 185 full-time faculty, 265 adjunct faculty and 231 staff members.
Below is a copy of the initial data breach letter issued by Pellissippi State Community College (a sample of the actual notice sent to consumers can be found here):
Dear [Consumer],
Pellissippi State Community College (PSCC) is informing individuals of a recent data security incident that may have resulted in the unauthorized access to, or acquisition of, some personal information of our former and current students, faculty, and staff and participants in Tennessee Consortium for International Studies (TNCIS) programs.
What Happened?
PSCC was the victim of a ransomware cyberattack overnight on December 5-6, 2021. We have confirmed unauthorized access to one system, but it is possible that others may have been accessed. While PSCC was also a victim, we apologize for any stress and concern this has caused.
What Information Was Involved?
Our investigation confirmed that the attacker had access to our Active Directory database, which includes first and last name; PSCC username; PSCC email address; office location and phone number; job title and department (if an employee); P number (a unique number assigned to each student and employee used only at PSCC and not used to sign documents); General user ID number (a long random string of numbers used only by PSCC in its Banner system); and PSCC account password (hashed). This was the only database to which access was confirmed. It is possible, however, that other personal data in our system could have been accessed.
What We Are Doing
Since the incident, we have notified local law enforcement, including the Tennessee Bureau of Investigation, and appropriate state and federal authorities, scanned every computer, and enhanced security measures.
What You Can Do
While we do not know if your data was viewed, we generally recommend you remain vigilant, monitor and review your financial and account statements, and report any unusual activity. More specifically, we recommend you:
As a safeguard, we have arranged for you to enroll, at no cost to you, in an online credit monitoring service (myTrueIdentity) for 12 months provided by TransUnion Interactive, a subsidiary of TransUnion®, one of the three nationwide credit reporting companies.
To enroll in this service, go directly to the myTrueIdentity website at www.mytrueidentity.com and in the space referenced as “Enter Activation Code”, enter the following 12-letter Activation Code XXXXXXXXX and follow the three steps to receive your credit monitoring service online within minutes.
If you do not have access to the Internet and wish to enroll in a similar offline, paper based, credit monitoring service, via U.S. Mail delivery, please call the TransUnion Fraud Response Services toll-free hotline at 1-855-288-5422. When prompted, enter the following 6-digit telephone pass code ###### and follow the steps to enroll in the offline credit monitoring service, add an initial fraud alert to your credit file, or to speak to a TransUnion representative if you believe you may be a victim of identity theft. You can sign up for the online or offline credit monitoring service anytime between now and May 31, 2022. Due to privacy laws, we cannot register you directly. Please note that credit monitoring services might not be available for individuals who do not have a credit file with TransUnion, or an address in the United States (or its territories) and a valid Social Security number, or are under the age of 18. Enrolling in this service will not affect your credit score.
Once you are enrolled, you will be able to obtain one year of unlimited access to your TransUnion credit report and credit score. The daily credit monitoring service will notify you if there are any critical changes to your credit file at TransUnion, including fraud alerts, new inquiries, new accounts, new public records, late payments, change of address and more. The subscription also includes access to identity restoration services that provides assistance in the event your identity is compromised to help you restore your identity and up to $1,000,000 in identity theft insurance with no deductible. (Policy limitations and exclusions may apply.)
If you have questions about your online credit monitoring benefits, need help with your enrollment, or need help accessing your credit report, or passing identity verification, please contact the myTrueIdentity Customer Service Team toll-free at: 1-844-787-4607, Monday-Friday: 8am-9pm, Saturday-Sunday: 8am-5pm Eastern time.
If you are receiving this notice for a current or former student who is under the age of 18:
The credit monitoring code listed above is only for adults. If you are receiving this notice for a minor, the parent or guardian can contact the call center listed below to receive a unique code for 12 months of credit monitoring specific for covering minors which will provide notifications to the primary adult member of activity on the child’s Equifax credit report.
