A cybersecurity incident at the East Valley Institute of Technology (EVIT) in Arizona on January 9, 2024, exposed the personal data of over 208,717 individuals [1], including students [1] [5] [7], staff [7], and parents [1] [7].
Description
The breach involved unauthorized access to the institution’s network [3] [6], potentially compromising nearly 50 categories of sensitive data, such as student ID numbers [7], dates of birth [3] [4] [5] [6] [7], login credentials [1], payment card type [1], and military ID numbers [1]. The compromised data also included names, Social Security numbers [2] [3] [4] [6] [8], addresses [5] [8], student grades, email addresses [5], health insurance information [5], medical records [3] [4] [7] [8], financial aid information [4] [5] [7] [8], and biometric data [1] [8]. EVIT disclosed the breach on August 12 and notified affected individuals on August 13. The ransomware group LockBit claimed responsibility for the attack [3] [5] [7] [8], threatening to publish files [5] [7], although EVIT has not discovered any publication of sensitive information online [5]. The stolen information poses a significant risk of identity theft and other fraudulent activities for the victims [2]. Industry experts have emphasized the severity of the breach [1], recommending improved data compartmentalization [1], stricter controls [1], and the implementation of a zero-trust architecture. EVIT has taken steps to secure its systems and protect affected individuals [6], offering free identity protection services to those impacted [8]. The institution remains vigilant in monitoring for any unauthorized activity [6], and recommendations for affected individuals include monitoring for compromised credentials and PII, and strengthening cybersecurity defenses [1]. The breach likely occurred due to the scope of the attack and the amount of data stored by EVIT [3]. The school is working to improve its security measures and has notified affected individuals [3], offering credit monitoring for 12 months [3].
Conclusion
The breach at EVIT has had significant impacts, with the potential for identity theft and other fraudulent activities for the victims. Mitigations such as improved data compartmentalization, stricter controls [1], and the implementation of a zero-trust architecture have been recommended by industry experts. Moving forward, EVIT is working to enhance its security measures and has offered free identity protection services to affected individuals. Vigilance in monitoring for unauthorized activity and strengthening cybersecurity defenses are crucial steps for both the institution and affected individuals to take in order to prevent future breaches.
References
[1] https://www.infosecurity-magazine.com/news/evit-suffers-data-breach-2024/
[2] https://classlawdc.com/2024/08/12/east-valley-institute-of-technology-data-breach-investigation/
[3] https://www.threatshub.org/blog/attacker-steals-personal-data-of-200k-people-with-links-to-arizona-tech-school/
[4] https://markets.financialcontent.com/stocks/article/bizwire-2024-8-12-federman-and-sherwood-investigates-east-valley-institute-of-technology-evit-for-data-breach
[5] https://www.tweaktown.com/news/99870/200-000-students-staff-and-parents-personal-data-exposed-in-recent-hack/index.html
[6] https://dataconomy.com/2024/08/12/evit-data-breach-answering-all-questions/
[7] https://dailyuknews.com/tech/200k-with-links-to-arizona-tech-school-have-data-stolen/
[8] https://cybermaterial.com/evit-suffers-breach-exposing-200k-people/