In January 2024, EVIT suffered a cyber attack by the LockBit ransomware group, compromising the personal data of 208,717 current and former students and employees. The stolen information included Social Security numbers, driver’s licenses, financial aid details, bank routing numbers, medical records, military IDs, and home addresses 48 distinct categories of personally identifiable information (PII). While EVIT claimed no evidence of data publication, the breach exposed victims to lifelong identity theft and fraud risks. The institution faced two class-action lawsuits for negligence, including delayed breach notifications (7 months beyond the 60-day legal requirement) and inadequate cybersecurity measures. EVIT admitted IT deficiencies per an Arizona Auditor General report, citing non-compliance with industry standards, unchecked user access, incomplete staff training (only 86% compliance), and lack of an IT contingency plan. Though EVIT implemented post-breach fixes (MFA, firewall upgrades, backups), plaintiffs argued the damage was preventable and demanded extended credit monitoring (10 years to lifetime) and monetary damages. The attack was linked to LockBit, a prolific ransomware group responsible for over 2,500 global victims and $500M+ in ransom payments.
TPRM report: https://www.rankiteo.com/company/adult-education-at-evit
"id": "adu3863838091025",
"linkid": "adult-education-at-evit",
"type": "Ransomware",
"date": "1/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '208,717 (current/former '
'students and employees)',
'industry': 'Education',
'location': 'Mesa, Arizona, USA',
'name': 'East Valley Institute of Technology (EVIT)',
'size': '~8,000 high school students; post-secondary '
'programs for adults',
'type': 'Educational Institution (Vocational School)'}],
'attack_vector': 'Ransomware (LockBit)',
'customer_advisories': ['Email notifications (Jan. 12, 24, and March 5, 2024)',
'Hard-copy letters (mid-August 2024)',
'Offer of 12 months of identity theft '
'protection/credit monitoring'],
'data_breach': {'data_exfiltration': 'Yes (no evidence of public publication, '
'but risk remains)',
'file_types_exposed': ['Databases',
'Student/employee records',
'Financial documents',
'Medical files'],
'number_of_records_exposed': '208,717',
'personally_identifiable_information': ['Social Security '
'numbers',
'Driver licenses',
'Bank routing numbers',
'Medical information',
'Home addresses',
'Dates of birth',
'Student/military '
'IDs'],
'sensitivity_of_data': 'High (48 distinct categories of PII, '
'including SSNs and financial data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Data',
'Medical Information',
'Educational Records']},
'date_detected': '2024-01-09',
'date_publicly_disclosed': '2024-08-12',
'description': 'In January 2024, cyber thieves hacked into East Valley '
'Institute of Technology’s (EVIT) IT infrastructure and stole '
'personal information from over 200,000 current and former '
'students and employees. The attack was attributed to the '
'LockBit ransomware group, though EVIT did not pay any ransom. '
'The breach exposed 48 distinct categories of personally '
'identifiable information (PII), including Social Security '
'numbers, financial data, and medical records. EVIT faced two '
'class-action lawsuits for failing to secure data and delaying '
'breach notifications by seven months. The institution has '
'since implemented cybersecurity improvements, including '
'multi-factor authentication, firewall upgrades, and a new '
'backup system.',
'impact': {'brand_reputation_impact': 'Significant reputational damage due to '
'delayed notifications and perceived '
'negligence',
'customer_complaints': ['Two class-action lawsuits filed (Hunter '
'LaBrake and Justin Heintz)'],
'data_compromised': ['Student and military ID numbers',
'Dates of birth',
'Grades',
'Social Security numbers',
'Driver licenses',
'Financial aid information',
'Bank routing numbers',
'Medical information',
'Home addresses'],
'downtime': 'Limited operational impact (no specific duration '
'provided)',
'identity_theft_risk': 'High (lifelong risk for 208,717 affected '
'individuals)',
'legal_liabilities': ['Two class-action lawsuits (pending in '
'Maricopa County Superior Court)',
'Potential regulatory fines for '
'non-compliance with breach notification '
'timelines (60-day requirement violated)',
'Arizona Auditor General report citing IT '
'security deficiencies'],
'operational_impact': 'Minimal disruption to operations; legal and '
'reputational consequences ongoing',
'payment_information_risk': 'High (bank routing numbers and '
'financial aid information exposed)',
'systems_affected': ['IT infrastructure',
'Student and employee databases']},
'initial_access_broker': {'data_sold_on_dark_web': 'Possible (no '
'confirmation, but '
'LockBit’s standard '
'practice)',
'high_value_targets': ['Student databases',
'Employee records',
'Financial aid systems']},
'investigation_status': 'Ongoing (third-party review completed June 2024; '
'lawsuits pending)',
'lessons_learned': ['Educational institutions are prime targets due to '
'sensitive data and limited cybersecurity resources.',
'Delayed breach notifications exacerbate legal and '
'reputational risks.',
'Regular security training, access reviews, and '
'contingency planning are critical.',
'Third-party collaboration is essential for effective '
'incident response.'],
'motivation': 'Financial gain (ransom demands, data theft for dark web sales)',
'post_incident_analysis': {'corrective_actions': ['Implemented MFA for all '
'staff',
'Upgraded firewall and '
'endpoint protection',
'New backup system deployed',
'Developing formal '
'processes for annual '
'account reviews and '
'authentication control '
'assessments',
'Policy updates for '
'cybersecurity training and '
'contingency planning (in '
'progress)'],
'root_causes': ['Lax network security controls',
'Inadequate user access reviews',
'Insufficient cybersecurity '
'training (only 86% of employees '
'completed FY2024 training)',
'Lack of annual IT contingency '
'plan testing',
'Non-compliance with industry '
'standards for authentication and '
'access management']},
'ransomware': {'data_encryption': 'Likely (standard LockBit tactic)',
'data_exfiltration': 'Yes',
'ransom_paid': 'No',
'ransomware_strain': 'LockBit'},
'recommendations': ['Extend identity theft protection beyond 12 months '
'(plaintiffs request 10 years/lifetime).',
'Fully implement Arizona Auditor General’s '
'recommendations (e.g., annual account reviews, '
'authentication control updates, contingency planning).',
'Ensure 100% compliance with cybersecurity training for '
'all employees.',
'Conduct regular penetration testing and vulnerability '
'assessments.',
'Enhance transparency in breach communications to rebuild '
'trust.'],
'references': [{'source': 'Tribune News Service (TNS)'},
{'source': 'U.S. Cybersecurity and Infrastructure Security '
'Agency (CISA) - LockBit Advisory'},
{'source': 'U.S. Department of Justice - LockBit Ransomware '
'Statistics'},
{'source': 'Arizona Auditor General - March 2024 Report on '
'EVIT IT Deficiencies'},
{'source': 'Maine Attorney General - Breach Notification (Aug. '
'12, 2024)'}],
'regulatory_compliance': {'legal_actions': ['Two class-action lawsuits '
'(Hunter LaBrake and Justin '
'Heintz)',
'Potential regulatory penalties '
'pending'],
'regulations_violated': ['Breach notification '
'timeline (60-day '
'requirement; EVIT '
'notified after 7 months)',
'Arizona Auditor General’s '
'IT security standards '
'(non-compliance with '
'access controls, '
'training, contingency '
'planning)'],
'regulatory_notifications': ['Maine Attorney '
'General (12 residents '
'affected)',
'Three nationwide '
'consumer reporting '
'agencies',
'Arizona Department of '
'Homeland Security']},
'response': {'communication_strategy': ['Email notifications to '
'current/former students, staff, '
'faculty, and parents (sent on '
'2024-01-12, 2024-01-24, 2024-03-05)',
'Hard-copy notifications mailed in '
'mid-August 2024 (7 months after '
'breach)',
'Public disclosure via Maine Attorney '
'General’s office (2024-08-12)',
'Aug. 13, 2024 letter detailing '
'breach scope'],
'containment_measures': ['Secured systems',
'Reported incident to consumer '
'reporting agencies',
'Engaged third parties for review and '
'remediation'],
'enhanced_monitoring': 'Yes (as part of security improvements)',
'incident_response_plan_activated': 'Yes (immediate '
'investigation and '
'containment)',
'law_enforcement_notified': 'Yes (notified appropriate '
'authorities)',
'recovery_measures': ['Offered 12 months of free identity theft '
'protection and credit monitoring '
'(plaintiffs demand 10 years/lifetime)',
'Hardened network infrastructure'],
'remediation_measures': ['Implemented new backup system',
'Deployed new endpoint protection '
'system',
'Upgraded firewall',
'Implemented multi-factor '
'authentication (MFA) for all staff',
'Developed formal process for annual '
'account access reviews (in progress)',
'Updated authentication controls for '
'critical IT systems (partial '
'compliance)'],
'third_party_assistance': ['Liability insurance provider',
'Arizona Department of Homeland '
'Security Cyber Readiness Program',
'Unnamed third-party for file review '
'(completed June 2024)',
'Unnamed third-party for security '
'protections and protocol hardening']},
'stakeholder_advisories': ['EVIT Governing Board closed-door meeting (Aug. '
'25, 2024) to discuss lawsuits',
'Superintendent authorized to proceed with legal '
'action (no public details)'],
'threat_actor': 'LockBit (criminal ransomware group)',
'title': 'East Valley Institute of Technology (EVIT) Data Breach',
'type': ['Data Breach', 'Ransomware Attack'],
'vulnerability_exploited': ['Lax network security',
'Inadequate access controls',
'Lack of regular security reviews',
'Insufficient cybersecurity training']}