Trocaire College Cyberattack Exposes Sensitive Data of Over 23,000 Individuals
A cyberattack on Trocaire College in Buffalo, New York, detected on March 13, 2025, compromised the personal information of more than 23,000 current and former students and employees, including names and Social Security numbers. The college confirmed the breach in a notice filed with the Maine Attorney General but did not notify affected individuals until January 16, 2026 nearly 10 months later.
Trocaire College stated it was unaware of any misuse of the stolen data but urged impacted individuals to monitor their accounts and credit reports. The institution also offered one year of identity theft protection and credit monitoring, along with a $1 million insurance reimbursement policy, to those whose Social Security numbers were exposed. In a prepared statement, President Bassam Deeb emphasized the college’s commitment to enhancing network security with the help of cybersecurity experts.
The delayed notification has sparked three class-action lawsuits, including one filed by former employee Challis Graham, who reported an increase in spam calls and messages following the attack. The lawsuits allege Trocaire failed to implement adequate cybersecurity measures and neglected to promptly inform victims, allowing stolen data to potentially circulate on the dark web.
Higher education institutions have become prime targets for cybercriminals, with ransomware attacks on schools and colleges rising 114% between 2020 and 2022, according to a Bank of America report. In 2025 alone, 130 confirmed and unconfirmed ransomware attacks on educational institutions were reported in the first two quarters.
Trocaire is not the first local institution to face such an attack. In 2021, Buffalo Public Schools canceled classes after a ransomware incident, later allocating $9 million to bolster its cybersecurity defenses. The incident underscores the growing threat to educational institutions, which store vast amounts of sensitive data attractive to hackers.
Trocaire College TPRM report: https://www.rankiteo.com/company/trocaire
Buffalo Public Schools TPRM report: https://www.rankiteo.com/company/buffalo-state-college
"id": "trobuf1770166380",
"linkid": "trocaire, buffalo-state-college",
"type": "Cyber Attack",
"date": "3/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '23,000',
'industry': 'Education',
'location': 'Buffalo, New York',
'name': 'Trocaire College',
'type': 'Educational Institution'}],
'customer_advisories': 'Affected individuals urged to monitor accounts and '
'credit reports. Offered one year of identity theft '
'protection and credit monitoring, along with a $1 '
'million insurance reimbursement policy.',
'data_breach': {'number_of_records_exposed': '23,000',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Names',
'Social Security numbers']},
'date_detected': '2025-03-13',
'date_publicly_disclosed': '2026-01-16',
'description': 'A cyberattack on Trocaire College in Buffalo, New York, '
'detected on March 13, 2025, compromised the personal '
'information of more than 23,000 current and former students '
'and employees, including names and Social Security numbers. '
'The delayed notification has sparked three class-action '
'lawsuits, alleging inadequate cybersecurity measures and '
'failure to promptly inform victims.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Personal information, including names and '
'Social Security numbers',
'identity_theft_risk': 'Yes',
'legal_liabilities': 'Three class-action lawsuits'},
'initial_access_broker': {'data_sold_on_dark_web': 'Potential circulation on '
'the dark web'},
'lessons_learned': 'Educational institutions are prime targets for '
'cybercriminals due to vast amounts of sensitive data. '
'Delayed notifications can lead to legal repercussions and '
'increased risk of data misuse.',
'motivation': 'Financial Gain',
'post_incident_analysis': {'corrective_actions': 'Enhanced network security, '
'identity theft protection '
'for affected individuals',
'root_causes': 'Inadequate cybersecurity measures, '
'delayed breach notification'},
'recommendations': 'Implement robust cybersecurity measures, ensure timely '
'breach notifications, and provide identity theft '
'protection to affected individuals.',
'references': [{'source': 'Trocaire College Notice'},
{'source': 'Maine Attorney General Filing'},
{'source': 'Bank of America Report on Ransomware Attacks'}],
'regulatory_compliance': {'legal_actions': 'Three class-action lawsuits',
'regulatory_notifications': 'Filed with the Maine '
'Attorney General'},
'response': {'communication_strategy': 'Delayed notification (10 months '
'later)',
'remediation_measures': 'Enhanced network security',
'third_party_assistance': 'Cybersecurity experts'},
'stakeholder_advisories': 'College committed to enhancing network security '
'with cybersecurity experts.',
'title': 'Trocaire College Cyberattack Exposes Sensitive Data of Over 23,000 '
'Individuals',
'type': 'Data Breach'}