On September 19, DataBreaches.net reported that Guilford Technical Community College (GTCC) in North Carolina had apparently become a ransomware victim of DoppelPaymer on September 13.
But on October 6, GTCC was no longer listed on the threat actors’ dedicated leak site. The removal of a victim’s name often indicates that the victim had a change of heart and paid the demanded ransom — or that they had resumed or started negotiations.
DataBreaches.net does not know whether that was the case in this incident, but Aleasha Kivett of Reuben Rink Marketing & Advertising, who supports GTCC with media relations, confirmed today that the college did not pay any ransom. That may explain why Guilford’s name subsequently reappeared on the threat actors’ leak site and the threat actors dumped thousands of files containing student and employee information.
In just one file alone, DataBreaches.net found more than 43,000 students’ names, date of birth, Social Security number, postal address, phone number, and GTCC email addresses.
But has anyone told the students? GTCC initially publicly posted updates about the ransomware attack. But what have they disclosed since the data dump? And to whom?
Today, DataBreaches.net was contacted by a former GTCC student, who had gone searching for information about any GTCC breach after he was notified by a credit monitoring service that his social security number appeared on the dark net. The email address that was linked to it was his old GTCC email address — one that he had only used for college purposes.
His search led him to DataBreaches.net.
“To date, I haven’t received any notice [from GTCC] that my information was leaked,” he wrote to DataBreaches.net.
DataBreaches.net confirmed that his personal information, including unencrypted Social Security number and date of birth, were in the data dump. In fact, his name, address, date of birth, full SSN, phone number, and GTCC email address appeared in five files in the dump. All of the five files were in a folder related to student financial assistance. His data appeared to be from eight years ago, which raises questions about why old data with unencrypted personal information including full SSN were still on the system.
I have long-been concerned about GTCC’s loose handling of student social security numbers, such as inappropriately using them as student ID numbers. But, the concerns I raised fell on deaf ears. I was just another annoying, whiny voice, trying to effect change for the better. Now, I’ll have years of trouble whenever I need a credit check.
To protect himself, he’s placing a security freeze on his credit report, and hopes other former GTCC students take similar steps to protect themselves, especially if, like him, they have not been notified by GTCC or offered any protective or restorative services.
DataBreaches.net reached out to GTCC this morning, to ask if they had notified any students or the state, but received no response by publication deadline. While some might argue that it has “only” been 5+ weeks since the data dump, the reality is that these dumps get shared quickly via a number of forums.
Can the Federal Trade Commission Do Anything?
For those who may be wondering what can be done if GTCC hasn’t notified anyone even though data were dumped more than one month ago, this might be a good time for me to remind folks that I have repeatedly lamented that the FTC does not have data security enforcement authority for the FTC act over the education sector or non-profit entities.
The FTC does have some enforcement authority under the Gramm–Leach–Bliley Act (GLBA), however. In 2002, the FTC issued Safeguards Rule standards. The regulations require financial institutions (including higher education institutions) to:
…develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to [the institution’s] size and complexity, the nature and scope of [institutional] activities, and the sensitivity of any customer information at issue.
The dumped files — and DataBreaches.net does not know whether DoppelPaymer will be dumping any more GTCC files at some point — include a number of files relating to student financial aid, work study, and even a files with the names and social security numbers of student borrowers who defaulted on loans.
Could FTC investigate and take enforcement action? I am not a lawyer, but I believe that they do have the authority. Will they use it, though? They generally have not tackled GLBA enforcement in higher education, but maybe if some impacted students from GTCC filed complaints with the FTC asking them to look at GTCC’s information security program under the requirements of GLBA, who knows….?
The GLBA does not help the many employees who also had some of their personnel and salary information dumped.
This post will be updated if a response from GTCC is received. Information on North Carolina’s data breach notification law can be found here.
Update of October 27: GTCC still hasn’t replied to this site’s inquiries, but some former students have been calling them, it seems. According to one former student who commented below, GTCC told her today that they are arranging for credit monitoring services for those affected and will know more next week. There is still no notice or disclosure on their web site that informs past and current students and employees about the scope of this breach. Another former student, however, emailed me a response he got from the school today. The text of it is:
Thank you for reaching to make us aware of this situation. We apologize that this has happened.
We take this incident and the security of your information seriously. We are reviewing our policies and procedures and implementing additional safeguards to better protect against similar incidents in the future. We are also offering affected individuals complimentary credit monitoring and identity restoration services. You will be contacted in the near future with information on how to access these services.
We are also notifying certain state regulators and consumer reporting agencies of this incident as required.
Thank you,
Jan H. Knox, M.A.
Associate Vice President, Marketing, Communications, and the GTCC Foundation
Guilford Technical Community College
Update of October 28: Today, DataBreaches.net received the following statement from GTCC:
Statement from Guilford Technical Community College:
Guilford Technical Community College has notified faculty, staff and students of a recent ransomware cyberattack. This communication was in response to an unauthorized access to the college’s network, which was discovered on Sept. 13, 2020.
Upon discovery of the event, the College immediately launched an investigation, with the assistance of leading cybersecurity experts, the Federal Bureau of Investigation, and other state agencies to determine what happened and to remediate impacted systems.
Additionally out of an abundance of caution, the college is proactively taking the necessary steps to assist those individuals who have been potentially impacted by the attack. The college’s faculty, staff and students will be offered free credit monitoring and identity restoration services.
Due to the ongoing nature of this investigation, the college is unable to provide further details at this time.
Jan H. Knox, M.A.
Associate Vice President, Marketing, Communications, and the GTCC Foundation
Guilford Technical Community College
Center for Advanced Manufacturing (CADM), Room 2657
6012 W. Gate City Blvd., Greensboro, NC 27407
I have contacted GTCC twice since learning through my Discovery card alerts that my SSN was on the dark web. I was told someone would be calling me. Seems inefficient to me.
“Inefficient” is not the word I would use to describe a situation like this.
Insufficient is what I meant. Auto correct.
You’re still a lot politer than I am. 🙂
Online I am! Can’t say what I said when I found out! ?
I’m a student here. I contacted the president and received the same pre-planned bullshit “we’re working on it” response.
This is fucking unacceptable. 43,000 peoples’ names, socials, bank info, and addresses are out there for the world to see and GTCC isn’t doing a fucking thing.
Now I just have to wait and see if my identity/money is stolen all because GTCC doesn’t know a fucking thing about security. Oh boy can’t wait!
Not to mention GTCC admins not informing students of teachers/other students who have COVID. Great work.
Just to be clear: the 43,000 was just one file. I didn’t go through all files and compile any total number. It’s undoubtedly higher than 43,000.
I’m sorry you and your colleagues and the employees are having to deal with this. Obviously, it is the hackers who are ultimately responsible, but in 2020, we would hope for better data security and incident response.
They called me today. They are contracting with an identity theft protection provider and will know more next week.
I wonder when they first started to make arrangements.
Today! Just heard they only began notifying today!
The implication was also that, as a former student, my protection level is tentative. This is not acceptable. Every person affected must be treated equivalently. Thank you for the work you do. This is still not in our local news and I’m perturbed.
So now that all of our personal information is out on the dark web…what happens now??? I have not been a student since 2015 and received security alerts from other sources (not notified by the school as I no longer have access to student info). How with this situation be handled?
Freeze your credit now if you haven’t already. Add 2 step verification to every account possible. Freeze any credit card accounts that offer it.