Posted On November 16, 2022 Consumer Privacy & Data Breaches
On November 9, 2022, Sierra College filed notice of a data breach with the Montana Attorney General’s office after the school learned that it was the target of a recent ransomware attack that jeopardized some of the confidential information in its possession. Based on the school’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, passport numbers, driver’s license numbers, Social Security numbers, financial account information, and medical information. After confirming that consumer data was leaked, Sierra College began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Sierra College data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Sierra College.
The available information regarding the Sierra College breach comes from the school’s official data breach filing with the Attorney General of Montana. According to this source, on August 20, 2022, Sierra College was the target of a ransomware attack, which encrypted a portion of the school’s computer network. In response, Sierra College took the necessary steps to secure its network and protect student and employee data. Then, the school enlisted the assistance of a third-party forensic firm to investigate the incident and determine what, if any, student or employee data was leaked as a result.
On October 19, 2022, the school’s investigation confirmed that an unauthorized party had gained access to its network. The investigation also revealed that some of the files that were accessible to the hackers contained sensitive information belonging to certain students and employees of Sierra College.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Sierra College began to review the affected files to determine what information was compromised and which students and employees were impacted. While the breached information varies depending on the individual, it may include your name, address, passport number, driver’s license number, Social Security number, financial account information, and medical information.
On November 9, 2022, Sierra College sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. In this letter, Sierra College explains that the school will be offering 12 months of credit protection to those who were impacted by the breach.
Founded in 1936, Sierra College is a public community college located in Rocklin, California. Sierra College offers approximately 125 degree and certificate programs and is fully accredited by the Western Association of Schools and Colleges. The school has a current enrollment of approximately 25,000 and employs a faculty of roughly 900. Sierra College is part of the Sierra Joint Community College District, which covers over 3,200 square miles across El Dorado and Sacramento counties, as well as parts of Nevada. Sierra College employs more than 1,249 people and generates approximately $148 million in annual revenue.
Sierra College’s filing with the Montana Attorney General provides some useful information about what led to the recent data breach. There, the school explains that its computer system was partially encrypted as a result of a ransomware attack.
A ransomware attack is a type of cyberattack in which a hacker installs malware on a company’s computer network. The malware encrypts some or all of the data on the company’s computer system, preventing anyone from within the organization from accessing the system. Encryption is a process that encodes files, making them inaccessible to anyone who does not have the encryption key, which is typically an alphanumeric password.
When planning a ransomware attack, hackers will often use a technique called “phishing” to gain access to the organization’s computer network. Phishing involves sending an email to an employee of the organization in hopes of getting them to click on a malicious link, download a malicious file, or provide their information directly to the hacker.
Once the employee clicks on the malicious link, it downloads the malware onto their computer. The malware then encrypts the files on the computer and may infect other parts of the organization’s network. The hackers then send management a message demanding the payment of a monetary ransom in exchange for the encryption key.
If the company pays the ransom, the hackers decrypt their computer, which typically ends the attack. While it is possible that hackers would not release the information back to the company, typically, hackers end a cyberattack once the organization pays the ransom because if they didn’t, there would be no incentive for companies to pay ransoms in future ransomware attacks.
However, more recently, an even more disturbing trend has started to emerge. Hackers have begun telling companies that if they do not pay the ransom by the deadline, the hackers will publish the stolen data on the dark web. Once on the dark web, it can be used by anyone to commit identity theft and other frauds. So, while companies are undoubtedly the targets of ransomware attacks, the real victims of these attacks are the consumers whose information ends up in the hands of potential criminals.
Large organizations like Sierra College not only have the resources to pay a ransom, but they also have the ability to implement robust data security systems that can stop most ransomware attacks before they infect a system. When an organization fails to adequately protect the consumer information in its possession, it may be liable to victims of a breach through a data breach lawsuit.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Sierra College data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
Below is a copy of the initial data breach letter issued by Sierra College (the actual notice sent to consumers can be found here):
We are writing to notify you that Sierra Joint Community College District (“Sierra College”) experienced a security incident that may have involved some of your personal information. This notice explains the incident, what we are doing, and steps you may want to take in response.
On August 20, 2022, Sierra College’s network was attacked and some of its systems were encrypted by ransomware. Upon discovery, we took immediate action to secure our network, protect student and employee data and began the restoration process. We also initiated an investigation into the cause and scope of the incident, and a professional third-party forensic firm was engaged to assist.
What Information Was Involved?
On October 19, 2022, our forensic investigation determined that some of your personal information was stored on a computer system that was accessed by an unauthorized individual. That information included names, addresses, passport numbers, driver’s license numbers, Social Security numbers, financial account information, and/or medical information.
What We Are Doing.
In an effort to prevent a similar incident from occurring in the future, we have implemented additional measures to enhance the security of our network environment. Additionally, as a precaution, we have arranged to provide identity monitoring at no cost to you through IDX. IDX identity protection services include: 12 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed identity theft recovery services. For more information on identity theft prevention and IDX Identity Monitoring, including instructions on how to activate your complimentary membership, please see the additional pages provided with this letter.
What You Can Do.
It is always a good idea to remain vigilant by regularly reviewing your financial accounts and credit reports for any unauthorized activity. We also encourage you to enroll in IDX’s identity monitoring service. For more information on identity theft prevention and your complimentary services, as well as some additional steps you can take to protect your personal information, please see the additional pages enclosed with this letter.
For More Information.
We regret this incident occurred and apologize for any inconvenience. If you have any questions, please call 1-833-896-5100, Monday through Friday, 6:00 a.m. to 6:00 p.m., Pacific Time.