Posted On December 7, 2022 Consumer Privacy & Data Breaches
On November 30, 2022, Suffolk University filed notice of a data breach with attorney general offices in several states after the school confirmed that an unauthorized party was able to access and remove files from its IT network that contained confidential student information. Based on the school’s official filing, the incident resulted in an unauthorized party gaining access to students’ names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information and protected health information. After confirming that consumer data was leaked, Suffolk University began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Suffolk University data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Suffolk University.
The available information regarding the Suffolk University breach comes from the school’s various filings with the Attorneys General of Vermont, Massachusetts, California and Texas. According to these sources, Suffolk University recently discovered a potential cyber security incident. While the school does not mention when it first learned of the event, in response to this discovery, Suffolk University then secured its systems and launched an investigation in hopes of determining whether any confidential student or faculty information was leaked as a result of the intrusion.
The school’s investigation confirmed that an unauthorized party had gained access to the Suffolk University computer network. Further, this unauthorized party removed certain files containing sensitive information belonging to students and faculty.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Suffolk University began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, Social Security number, driver’s license number, state identification number, financial account information and protected health information.
On November 30, 2022, Suffolk University sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. While the total number of students affected by the Suffolk University data breach hasn’t been released, there are reportedly more than 36,000 victims in Massachusetts alone.
Founded in 1906, Suffolk University is a public university located in Boston, Massachusetts. The school offers more than 60 undergraduate, graduate and online degree programs through seventeen academic departments. The current student enrollment at Suffolk University is approximately 10,000, and the school employs a full-time faculty of over 900. In addition to the programs offered through the school’s main campus, Suffolk University also runs the Sawyer Business School and the Suffolk Law School. In total, Suffolk University employs more than 2,400 people and generates approximately $107 million in annual revenue.
Yes, schools and colleges, like businesses, non-profits, and government agencies, may be financially responsible for the harms a data breach victim suffers. However, a university is not automatically liable for a data breach just because a hacker was able to bypass the school’s data security system and access student information; the breach must be a result of the school’s negligence in order for it to be legally responsible. Additionally, affected students or faculty must prove that the school’s negligence was the cause of or a contributing factor to the breach.
In most cases, university data breaches are the result of cybercriminals specifically targeting that particular school. These hackers employ sophisticated scams and cyberattacks to carry out the cyberattack in hopes of stealing student or faculty data that they can either use to commit fraud or sell to others on the dark web. However, schools that have implemented up-to-date data privacy systems may be able to deter hackers from initiating an attack and, in the event of an attack, can usually detect the breach much sooner.
There are a few ways a school or university can be negligent when it comes to a data breach. For example, if a college is careless in how they store student data, such as by failing to encrypt files containing sensitive student information, it may result in a school being liable for the breach. Similarly, if an employee of the college responds to a phishing email, either by providing their login credentials or student information or by clicking on a malicious link that enables the hacker to access the school’s network, the school may also be liable.
Of course, these are just a few of the ways that a college may be liable for a data breach. Unfortunately, it can be very difficult for students and faculty to know what led to a data breach, which can make it challenging to determine whether they have a claim. Data breach lawyers can assist students, faculty and others who believe their information may have been leaked as a result of a university data breach.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Suffolk University data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
Below is a copy of the initial data breach letter issued by Suffolk University (the actual notice sent to consumers can be found here):
We are writing with important information regarding a cybersecurity incident that occurred this past summer. The privacy and security of the personal information we maintain is of the utmost importance to Suffolk University. As such, we wanted to provide you with information about the incident, explain the services we are making available to you, and let you know that we continue to take significant measures to protect your information.
We discovered that unauthorized access to our network occurred on or about July 9, 2022.
What We Are Doing
Upon learning of this issue, we immediately contained and secured the threat and commenced a prompt and thorough investigation. As part of our investigation, we engaged external cybersecurity professionals experienced in handling these types of incidents to determine the extent of any compromise of the information on our network. Based on our comprehensive investigation, we concluded that certain documents and records were accessed and/or obtained in connection with this incident. Following our extensive manual document review, we determined on November 14, 2022 that certain of your personal information was present in those documents and records.
What Information Was Involved
The impacted information included your personal information, specifically your [Redacted].
What You Can Do
To date, we are not aware of any reports of identity fraud, or of any dissemination or improper use of your information as a result of this incident. Nevertheless, out of an abundance of caution, we wanted to make you aware of this incident and explain the resources available to you.
We are making available services to help safeguard you against identity fraud, and suggest steps that you should take as well. To protect you from potential misuse of your information, we are offering a complimentary one-year membership of Experian IdentityWorks Credit 3B. This product helps detect possible misuse of your personal information and provides you with identity protection services focused on immediate identification and resolution of identity theft. IdentityWorks Credit 3B is completely free to you and enrolling in this program will not hurt your credit score. For more information on identity theft prevention and IdentityWorks Credit 3B, including instructions on how to activate your complimentary one-year membership, please see the additional information provided in this letter.
We have also included an attachment that provides other precautionary measures you can take to protect your personal information, including placing a fraud alert and/or security freeze on your credit files, and/or obtaining a free credit report. Additionally, you should always remain vigilant in reviewing your account statements for fraudulent or irregular activity on a regular basis.