The California Office of the Attorney General disclosed a data breach affecting ITHAKA on March 31, 2014. Unauthorized actors accessed approximately 800 MyJSTOR accounts, exposing sensitive but non-financial user data. Compromised information included usernames, passwords, email addresses, primary areas of study, academic positions/statuses, and institutional affiliations. While the breach did not involve financial records or highly sensitive personal identifiers (e.g., Social Security numbers or payment details), the exposure of academic credentials and institutional ties posed risks of credential stuffing, targeted phishing, or reputational harm for affected users primarily researchers, students, and faculty. The incident highlighted vulnerabilities in ITHAKA’s authentication systems, though no evidence suggested the stolen data was misused for fraud or broader cyberattacks. The breach was contained without escalation to systemic disruptions or financial losses for the organization or its users.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-44654
TPRM report: https://www.rankiteo.com/company/ithaka
"id": "ith001091825",
"linkid": "ithaka",
"type": "Breach",
"date": "3/2014",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '800 (MyJSTOR account holders)',
'industry': 'Education / Digital Library Services',
'location': 'New York, USA',
'name': 'ITHAKA',
'type': 'Non-profit Organization'}],
'data_breach': {'data_exfiltration': 'Likely (accounts were accessed without '
'authorization)',
'number_of_records_exposed': '800',
'personally_identifiable_information': ['usernames',
'passwords',
'email addresses',
'positions/academic '
'statuses',
'institutional '
'affiliations'],
'sensitivity_of_data': 'Moderate (includes PII but no '
'financial data)',
'type_of_data_compromised': ['Account Credentials',
'Personal Identifiable '
'Information (PII)',
'Academic Information']},
'date_publicly_disclosed': '2014-03-31',
'description': 'The California Office of the Attorney General reported a data '
'breach involving ITHAKA on March 31, 2014. Approximately 800 '
'MyJSTOR accounts were accessed without authorization, '
'potentially exposing usernames, passwords, email addresses, '
'primary areas of study, positions/academic statuses, and '
'institutional affiliations. Financial information was not '
'accessed.',
'impact': {'data_compromised': ['usernames',
'passwords',
'email addresses',
'primary areas of study',
'positions/academic statuses',
'institutional affiliations'],
'identity_theft_risk': 'Potential (due to exposed PII)',
'payment_information_risk': 'None (financial information was not '
'accessed)',
'systems_affected': ['MyJSTOR accounts']},
'references': [{'date_accessed': '2014-03-31',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'title': 'Unauthorized Access to MyJSTOR Accounts at ITHAKA',
'type': 'Data Breach'}