Mercyhurst University suffered an external system breach (hacking) between January 16, 2022, and May 15, 2022, exposing sensitive personal data of 19,537 individuals, including 39 Maine residents. The compromised information included names, Social Security numbers, and financial account details, posing a severe risk of identity theft and financial fraud. The university issued written notifications in two phases (November 8, 2022, and February 21, 2023) and offered 12 months of credit monitoring via Epiq to affected individuals. The breach’s prolonged duration (nearly four months) and the nature of the stolen data—highly sensitive financial and identification records—heighten the potential for long-term harm, including fraudulent transactions, credit damage, and reputational erosion for the institution. The incident underscores vulnerabilities in the university’s cybersecurity defenses, particularly against external intrusions targeting personally identifiable information (PII).
TPRM report: https://www.rankiteo.com/company/the-ridge-school-at-mercyhurst-university
"id": "the010091825",
"linkid": "the-ridge-school-at-mercyhurst-university",
"type": "Breach",
"date": "1/2022",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 19537,
'industry': 'Higher Education',
'location': 'Erie, Pennsylvania, USA',
'name': 'Mercyhurst University',
'type': 'Educational Institution'},
{'customers_affected': 39,
'location': 'Maine, USA',
'name': '39 Maine Residents',
'type': 'Individuals'}],
'customer_advisories': 'Written notifications with offer of 12 months of '
'credit monitoring via Epiq',
'data_breach': {'number_of_records_exposed': 19537,
'personally_identifiable_information': ['Names',
'Social Security '
'Numbers'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Data']},
'date_publicly_disclosed': '2022-11-08',
'description': 'The Maine Office of the Attorney General reported that '
'Mercyhurst University experienced an external system breach '
'(hacking) from January 16, 2022, to May 15, 2022. The breach '
'affected 39 Maine residents and a total of 19,537 '
'individuals, potentially compromising their names, Social '
'Security numbers, and financial account information. Written '
'notifications were sent on November 8, 2022, and February 21, '
'2023, and Mercyhurst is providing 12 months of credit '
'monitoring services through Epiq.',
'impact': {'data_compromised': ['Names',
'Social Security Numbers',
'Financial Account Information'],
'identity_theft_risk': 'High (PII and financial data exposed)',
'payment_information_risk': 'High (Financial account information '
'exposed)'},
'references': [{'source': 'Maine Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': 'Maine Office of the '
'Attorney General'},
'response': {'communication_strategy': 'Written notifications sent on '
'2022-11-08 and 2023-02-21',
'recovery_measures': '12 months of credit monitoring services '
'for affected individuals',
'third_party_assistance': 'Epiq (credit monitoring services)'},
'title': 'Mercyhurst University External System Breach (2022)',
'type': 'Data Breach (External System Hacking)'}