The Ohlone Community College District, which is located in the San Francisco Bay Area, is recovering from a ransomware attack that shut down phones and emails for 10 days in January and potentially exposed sensitive personal information.
The district, which serves more than 15,000 students, posted an updated data breach notice last week explaining that the full range of data that was potentially exposed included dates of birth, Social Security numbers, U.S. alien registration numbers, driver’s license numbers, financial account numbers, routing numbers, financial institution names, medical information, health insurance information, student ID numbers, race and ethnicity data, class lists, course schedules, disciplinary files, grades, transcripts and disability aid information.
Jen Marquez, an Ohlone spokesperson, told EdScoop in an email on Friday that along with shutting down phones and emails, the incident took down its student portal for 17 days and its student information system for a week. The breach could potentially expose data for past and current employees, students and faculty.
As the district continues investigating and notifying those affected, some details are still under wraps to “continue to protect the security of the college,” Marquez wrote. That includes which systems attackers accessed and how many people were affected, as well as whether the district has determined how the breach occurred. The institution did not include in its data breach notice whether a ransom was paid. There is no current evidence that data is being misused, according to the notice.
The district changed account logins and is reviewing its security and data-storage policies in response to the attack, according to the notice.
Higher education continues to be a prime target for bad actors looking to access personal information via ransomware and other attacks. There were ransomware attacks at 62 school districts and 26 college and university campuses in 2021, according to a count by the cybersecurity firm Emsisoft.
Other education institutions reporting breaches this January include Midland University in Nebraska, which notified attorneys general in multiple states about the attack. An attack on the software company Finalsite in early January prompted thousands of school districts to shut down systems. (The provider announced later in the month there was no evidence that data had been stolen during the attack.