On September 19, 2020, DataBreaches.net reported that Guilford Technical Community College (GTCC) in North Carolina had reportedly become a ransomware victim of DoppelPaymer on September 13.
The following month, this site followed up by asking whether GTCC had notified the more than 43,000 students whose data had appeared on the dark web. A spokesperson for the college responded:
Guilford Technical Community College has notified faculty, staff and students of a recent ransomware cyberattack. This communication was in response to an unauthorized access to the college’s network, which was discovered on Sept. 13, 2020.
Upon discovery of the event, the College immediately launched an investigation, with the assistance of leading cybersecurity experts, the Federal Bureau of Investigation, and other state agencies to determine what happened and to remediate impacted systems.
Additionally out of an abundance of caution, the college is proactively taking the necessary steps to assist those individuals who have been potentially impacted by the attack. The college’s faculty, staff and students will be offered free credit monitoring and identity restoration services.
So in October, 2020, the college said those potentially impacted would be offered credit monitoring and identity restoration services. But it seems that those offers may not have been made until this week.
Yesterday, external counsel for GTCC notified the Maine Attorney General’s Office about the breach. Their notification indicated that a total of 65,646 current or former students, faculty members, or staff members were being notified of the incident and that written notification would go out on January 13, 2022. A sample notification letter for adults was attached to the submission.
One of the most shocking aspects of the notification (apart from its delay) is that it does not mention that data was leaked on the dark web back in October 2020.
From part of the sample notification letter (emphasis added by this site):
You are receiving this letter as the data mining determined that your personal information was present on GTCC’s network at the time of the attack and may have been accessible to the cybercriminal as a result. This personal information includes your: name, <>. There is no confirmation that this personal information was accessed or acquired by the cybercriminal(s).
“May have been accessible?” “No confirmation that this personal information was accessed or acquired?” Seriously? Is that what they wrote to all the people whose personal information was actually leaked on the dark web?
Perhaps there is another letter that went to people who had their personal information leaked on the dark web?
DataBreaches.net sent an email inquiry to GTCC to ask whether there was an alternative notification for those who had their data leaked in October 2020. No reply has been received.
So almost 1.5 years after a ransomware incident, those impacted are sent a letter that may be misleading at best, with an offer for help that they should have been made back in October, 2020.
Does the government thinks that is just fine? As this site pointed out in 2020, the Federal Trade Commission can enforce data security for financial aid data under the GLBA. Why don’t they? And what is the U.S. Education Department doing?