At a glance.
- Community college cancels classes in wake of ransomware attack.
- NYSED investigating Illuminate Education breach.
- Australian state transport agency suffers data breach.
Michigan college cancels classes in wake of ransomware attack.
Inside Higher Education reports that Kellogg Community College (KCC), located in the US state of Michigan, was forced to cancel classes on Monday and implement a password reset for all students, staff, and faculty after being hit by a ransomware attack over the weekend. In an alert on its website, the college disclosed that as of Sunday the school’s systems were still experiencing technical issues as a result of the attack. WXMI reports that KCC Vice President for Strategy, Relations and Communications Eric Greene, released a statement on Monday explaining, “We are still working to understand the full extent of this incident, but as soon as we became aware of it, we immediately assembled a multi-disciplinary team and engaged independent legal counsel and external forensic experts. KCC had backups in place, and we are working systematically with our IT experts to restore our operations.” An update on the school’s site says classes are expected to resume tomorrow.
NYSED investigating Illuminate Education breach.
Remaining in the education sector, we previously noted that at least a million students across twenty-four school districts and eighteen charter schools in the state of New York were impacted by the January cyberattack on education services firm Illuminate Education. The New York State Education Department (NYSED) has launched an investigation into what some are calling the largest breach of US K-12 student data in history. As the Journal notes, New York’s Education Law §2-d states that if a civil penalty is levied against a third-party contractor following an investigation by NYSED’s privacy office, the civil penalty will be “up to $10 per affected student, teacher, and principal.” Because districts make local decisions regarding which online services to use, NYSED cannot yet say for certain how many districts were clients of Illuminate at the time of the breach.
Further complicating matters, NYSED Deputy Director of Communications J.P. O’Hare says the breach impacted one of the state’s Boards of Cooperative Educational Services, which allow districts to share educational services and software and equipment costs. NYSED privacy law also requires that an impacted school must notify NYSED of a third-party breach within ten days of discovery. However, Illuminate did not disclose the breach to New York City Schools until March, two months after detection. Cybersecurity expert Doug Levin says this raises many questions t: “When did Illuminate Education learn of the incident? How did they respond? How is it that multiple schools both inside and outside of New York were affected by this incident? Why did it take so long for Illuminate Education to inform affected parties? What is the total number of records exposed? Have all the affected individuals been notified? If not, when will they be?” The impending investigation will hopefully lead to some answers.
Australian state transport agency suffers data breach.
Transport for NSW, the leading transport and roads agency in New South Wales, Australia, has disclosed that its Authorised Inspection Scheme (AIS) online application experienced a data breach early last month. An unauthorized party accessed application user accounts in the AIS, which facilitates the online application process for potential vehicle inspectors, and in doing so collects personal applicant data including names, addresses, dates of birth, and driver’s license numbers. "We recognise that data privacy is paramount and deeply regret that customers may be affected by this attack," Transport for NSW said. Customers have been advised to be wary of any suspicious email or text activity from individuals claiming they are associated with the agency. Impacted examiners will be notified individually, and Transport for NSW has implemented additional security measures. ZDNet notes that the breach comes just over a year after Transport for NSW was impacted in the cyberattack on Accellion’s file transfer system, which the agency used for file sharing and storage.