(TNS) \u2014 In January 2024, cyber thieves hacked into East Valley Institute of Technology\u2019s IT infrastructure and stole personal information from over 200,000 current and former students and employees.
Today, two class-action lawsuits filed against the Mesa vocational education provider over that data beach are making their way through Maricopa County Superior Court.
One suit claims the culprit behind the cyber attack was a criminal group known as LockBit \u2014 which in 2022 was the most deployed ransomware variant across the world and continued to be prolific in 2023, according to the U.S. Cybersecurity and Infrastructure Security Agency.
Between January 2020 and at least July 2024, LockBit was deployed against over 2,500 victims, who paid over $500 million in ransom payments and made ransom demands totaling hundreds of millions of dollars, the U.S. Department of Justice said.
And the U.S. Department of Education reported that school districts across the country experience an average of five cyber incidents a week.
Educational institutions are prime targets because they maintain sensitive student and staff personal information and often lack resources to put in place comprehensive cybersecurity programs, SchoolSafety.gov said.
EVIT spokeswoman CeCe Todd said EVIT did not pay any ransom to the group. Beyond that, she said, EVIT \u201chas no comment or statement at this time on pending litigation.\u201d
According to Chris Maddux, EVIT\u2019S information systems director, the institution \u201chas made many updates to our systems and environments\u201d since the data breach.
\u201cEVIT collaborated with our liability insurance provider and the Arizona Department of Homeland Security Cyber Readiness Program for advice and support in making these improvements,\u201d said Maddux in an email.
He provided a list of steps taken by EVIT to enhance its cybersecurity, which included implementing a new backup system and new endpoint protection system, upgrading the firewall and implementing multi-factor authentication for all staff.
The EVIT Governing Board also met behind closed doors Aug. 25 to discuss the lawsuits, but in open session did not disclose what legal action was being taken. It only voted to authorize the superintendent to proceed as discussed in executive session.
EVIT serves about 8,000 high school students from 11 school districts, including Mesa, Gilbert, Higley, Chandler, Fountain Hills, Scottsdale, Queen Creek, Tempe, Apache Junction, J.O. Combs and Cave Creek. It also offers post-secondary programs for adults.
The attorneys for Hunter LaBrake, a former EVIT student, filed suit in March and for Justin Heintz, a former student and employee, in December. Both claim that EVIT failed to properly secure and safeguard the sensitive information.
The suits also state that EVIT failed to report the Jan. 9 breach within the 60-day time period as required.
They claim the institution waited seven months \u2014 until mid-August \u2014 to warn people of the risk via hard-copy notifications. Both LaBrake and Heintz said they received their letters in August.
News of the cyber attack was not widely reported until August after victims were notified and the Office of the Maine Attorney General reported the breach on Aug. 12. EVIT had notified Maine, which then had 12 residents affected by the breach.
Trade media jumped on the story and quoted a number of industry leaders, such as Jason Soroko, a cybersecurity expert.
According to Soroko, the exposure of 48 distinct categories of personally identifiable information was \u201cunusually high\u201d and suggested a vulnerable system that needed stricter controls.
EVIT said that immediately after detecting the incident, \u201cit provided email notification to all current and former students, staff, faculty, and parents with email addresses on file.\u201d
EVIT says it notified potential victims on Jan. 12, 2024, Jan. 24, 2024 and March 5, 2024.
EVIT\u2019s Aug. 13, 2024 letter stated that the records of 208,717 individuals were potentially affected and the information involved included student and military ID numbers, dates of birth, grades, Social Security numbers, driver licenses, financial aid information, bank routing numbers, medical information and home addresses.
\u201cThis attack had a limited impact on our operations,\u201d EVIT said in the notice. \u201cWe promptly took corrective steps to investigate the incident, secure our systems, report the incident to the three largest nationwide consumer reporting agencies and appropriate authorities, contain and remediate the threat, and notify potentially impacted individuals.
\u201cTo date, EVIT has not discovered any publication of EVIT data that contained sensitive information.\u201d
Nonetheless, given the possibility that the information may have been compromised, EVIT said it engaged a third party to conduct a thorough review of all potentially impacted files, which concluded in June 2024.
EVIT also said it hired a third party to add computer security protections and protocols to \u201charden its network infrastructure and offer improved protections\u201d of sensitive data from unauthorized access.
According to LaBrake, \u201cthere has been no assurances offered by EVIT that all personal data or copies of data have been recovered or destroyed, or that defendant has adequately enhanced its data security practices sufficiently to avoid a similar breach of its network in the future.\u201d
The plaintiffs said the breach could have been avoided had EVIT implemented security measures earlier, alleging that as an educational institution it knew or should have known that its electronic records would be targeted by cyber criminals.
\u201cFor EVIT to have permitted this data beach to occur is particularly inexcusable considering, among other things, the recent prevalence of these types of incidents generally and among educational institutions in particular,\u201d Heintz said.
The Arizona Auditor General in a March 2024 report noted EVIT\u2019s deficiencies in its IT security and pointed to the January breach as further evidence. EVIT responded that it accepted the findings and agreed to implement the agency\u2019s recommendations.
EVIT\u2019s IT deficiencies included non-compliance and practices inconsistent with credible industry standards, which increased the risk for authorized access to sensitive information, date loss, errors and fraud, the report said
EVIT also did not regularly review and limit user access to its network and critical systems, the report added.
In a follow-up report released two months ago, the Auditor General said that EVIT was in the process of implementing several of its recommendations, including developing a formal process to regularly perform, at least annually, detailed reviews of administrative and user accounts and assess their access level and need for network and critical systems access.
EVIT also had updated some authentication controls for all its critical IT systems to align with credible industrial standards but has not updated its policies or developed a former process to review its authentication controls against credible industry standards at least annually, the report said.
And though the district has established a policy requiring all employees to undergo annual cybersecurity awareness training, just 86 percent of the district\u2019s 319 employees in Fiscal Year 2024 had completed the training and 52 percent of the 72 employees hired between September and December 2024, the report added.
\u201cBy not ensuring staff receive the required security awareness training, the district continues to be at an increased risk of cybersecurity events resulting in unauthorized system access, data loss, and disruptions to district operations,\u201d the report stated.
EVIT also had not by the time of the July report developed and implemented an IT contingency plan and tested it annually to identify and remedy any deficiencies. According to the Auditor General\u2019s Office, it will assess EVIT\u2019s efforts at a 24-month follow-up.
Also, a former unnamed EVIT employee at the time of the breach said he observed \u201cthat EVIT\u2019s network security seemed to be very lax,\u201d Heintz\u2019s suit said.
Due to EVIT\u2019s \u201creckless, negligent and\/or careless (at a minimum) acts,\u201d resulting in lifelong risk of fraud and identify theft, the plaintiffs\u2019 demands included monetary damages, that EVIT strengthen its data systems, and that the offer of free identify theft protection and credit monitoring extend beyond the 12 months.
Heintz asked for 10 years while LaBrake asked for it to be lifetime.
Both also asked for a jury trial.
\u00a9 2025 East Valley Tribune (Mesa, Ariz.). Distributed by Tribune Content Agency, LLC.<\/p>\n","protected":false},"excerpt":{"rendered":"
(TNS) \u2014 In January 2024, cyber thieves hacked into East Valley Institute of Technology\u2019s IT infrastructure and stole personal information from over 200,000 current and former students and employees.
\nToday, two class-action lawsuits filed against the Mesa vocational education provider over that data beach are making their way through Maricopa County Superior Court.
\nOne suit claims the culprit behind the cyber attack was a criminal group known as LockBit \u2014 which in 2022 was the most deployed ransomware variant across the world and continued to be prolific in 2023, according to the U.S. Cybersecurity and Infrastructure Security Agency.
\nBetween January 2020 and at least July 2024, LockBit was deployed against over 2,500 victims, who paid over $500 million in ransom payments and made ransom demands totaling hundreds of millions of dollars, the U.S. Department of Justice said.
\nAnd the U.S. Department of Education reported that school districts across the country experience an average of five..<\/p>\n","protected":false},"author":3,"featured_media":14700,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,25],"tags":[],"class_list":["post-14699","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-local","category-news"],"_links":{"self":[{"href":"https:\/\/skybeaconnews.com\/index.php\/wp-json\/wp\/v2\/posts\/14699","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/skybeaconnews.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/skybeaconnews.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/skybeaconnews.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/skybeaconnews.com\/index.php\/wp-json\/wp\/v2\/comments?post=14699"}],"version-history":[{"count":0,"href":"https:\/\/skybeaconnews.com\/index.php\/wp-json\/wp\/v2\/posts\/14699\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/skybeaconnews.com\/index.php\/wp-json\/wp\/v2\/media\/14700"}],"wp:attachment":[{"href":"https:\/\/skybeaconnews.com\/index.php\/wp-json\/wp\/v2\/media?parent=14699"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/skybeaconnews.com\/index.php\/wp-json\/wp\/v2\/categories?post=14699"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/skybeaconnews.com\/index.php\/wp-json\/wp\/v2\/tags?post=14699"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}