Cybersecurity breach at Lewis & Clark College spurs class-action suit alleging negligence
A former employee of Lewis & Clark College has filed a class-action suit against the school, alleging it failed to take necessary safety precautions to protect student and employee personal information in a cybersecurity breach.
The breach occurred on Feb. 28, 2023, but the college didn’t send individual notices to staff, students, employees and alumni whose personal information had been compromised until late March and early April, more than a year later, the suit says.
The suit alleges negligence, including failure to “timely detect” the breach of vast quantities of private personal identifying information, including dates of birth, Social Security numbers, driver’s license numbers and passport, medical and health insurance and financial account numbers. It also alleges the college’s negligence led to invasions of privacy.
Washington resident Lisa Unsworth, who was an employee of the college from 2005 to 2009, filed the suit in federal court in Portland. It seeks unspecified economic and punitive damages.
A Lewis & Clark College spokesperson did not immediately respond to the suit’s allegations.
According to Lewis & Clark’s website, the cybercriminals responsible published “some amount of Lewis & Clark data on the ‘dark web, ’” and first notified the college community of the security breach in March 2023.
“We are currently working to retrieve the information and to determine the extent to which it includes any sensitive personal information,” the website said then. “Although the investigation is still ongoing, we are making credit monitoring services available now to current students and employees, at the college’s expense, out of an abundance of caution.”
One law school alum shared the letter he received last month from the college with The Oregonian/OregonLive.
It said the college detected unauthorized access to its data network on March 3, 2023, and then immediately took steps to secure the network and launched an investigation, assisted by cybersecurity professionals.
The investigation found that the “bad actors” took data from the college’s network on Feb. 28, 2023.
The college said an “extensive manual review of the data” was then done, and a year later, the school determined whose personal information was stolen and was sending notification letters “to each potentially affected individual for whom it has enough information to determine a physical address.”
It’s unclear how many people had their personal information breached.
The college said it has strengthened its network and added security improvements recommended by cybersecurity experts. It also offered those affected “complimentary credit monitoring services.”
The lawsuit alleges the 12-month credit monitoring service offered isn’t sufficient.
“The unauthorized access of Plaintiff and Class members’ Private Information, especially their Social Security numbers, puts Plaintiff and the Class at risk of identity theft indefinitely, and well beyond the limited period of credit monitoring that Defendant offered victims of the Breach,” attorney Kim D. Stephens wrote in the suit.
Then early this month, the college posted a new notice to its website, saying that the letters it sent to people impacted may not have arrived because “many addresses included the incorrect city.”
“Addresses were validated for deliverability via a USPS tool that validates street address and zip code. We regret the confusion caused by the incorrect city, but it should not impact delivery. The replacement letters will contain the same addresses as the original letters,” the college website said. “We apologize for these errors and the inconvenience that has resulted. We want to assure you that the errors were not the result of the work of our forensic data investigator. The letters are legitimate and the information in the letters about the data that was accessed is accurate.”
Shortly after the college detected the cyber attack last year, a cybersecurity news group The Record reported that cybercrime group Vice Society had claimed credit and posted a sampling of documents allegedly stolen from the college, including images of passports and documents that include Social Security numbers.
Lewis & Clark has not publicly blamed Vice Society for the attack, though several cybersecurity professionals posted screenshots of the organization taking responsibility for the breach.
The Federal Bureau of Investigation issued an alert in September 2022 warning that Vice Society was “disproportionately targeting the education sector” with its attacks. A report from cybersecurity group Sophos says that ransomware attacks against colleges and universities have increased in recent years, following a similar trend across all business sectors.
— Maxine Bernstein covers federal court and criminal justice. Reach her at 503-221-8212, mbernstein@oregonian.com, follow her on X @maxoregonian, or on LinkedIn.
Our journalism needs your support. Subscribe today to OregonLive.com.