Saint Xavier University this week confirmed it notified 212,267 people about a June 2023 data breach that compromised the following personal information:
- Names
- Social Security numbers
- Driver’s license numbers
- Passport info
- Financial account info
- Medical info
- Biometric info
- Health insurance info
- Student ID numbers
- Dates of birth
- Payment card info
- Account access info
The notice sent to victims lists prospective, current, and former students and employees among the victims, plus their dependents, beneficiaries, parents, and spouses.
Ransomware group ALPHV/BlackCat claimed responsibility for the attack in August 2023, saying it stole more than 1 TB of data from the school. The group posted images of the allegedly stolen data on its leak site.
Saint Xavier has not verified ALPHV/BlackCat’s claim. We do not yet know if the school paid a ransom, how much ALPHV demanded, how attackers breached Saint Xavier’s network, or why it took more than a year to notify victims. Comparitech contacted Saint Xavier University for comment and will update this article if it responds.
The notice states, “The investigation determined that an unauthorized actor downloaded certain files stored on limited SXU systems between June 29 and July 18, 2023.”
The school is offering eligible victims 12 months of free credit monitoring via IDX. The deadline to enroll is January 30, 2025.
Who is ALPHV/BlackCat?
ALPHV/BlackCat is responsible for some of the most high profile ransomware attacks of the past few years. The group went dark after an attack on Change Healthcare in March 2024, in which it allegedly stole a $22 million ransom payment from affiliates.
Before ALPHV/BlackCat went dark, Comparitech researchers recorded 137 confirmed attacks claimed by the group in 2023. Its average ransom was $2.2 million.
Six of those attacks were against targets in the education sector. In January 2023, ALPHV/BlackCat demanded a $1.5 million ransom from Wawasee School Corporation, which compromised the personal info of 3,200 people. ALPHV/BlackCat also attacked Munster Technological University in Ireland in February 2023. No ransom was paid, but recovery costs exceeded €3.5 million.
Ransomware attacks on US education
Ransomware attacks can both steal data from and lock down a school’s computer systems by infecting them with malware. The school must then pay a ransom for a key to unlock the computer systems, and so the attacker will agree to not sell or publish the stolen data.
Ransomware can disrupt systems used for assignments, grades, communications with teachers and staff, billing, payroll, and more. Schools often have to resort to pen and paper until systems are restored, and some have even cancelled classes in the wake of ransomware attacks. If a school refuses to pay, restoration can take weeks or even months, and students and staff whose data was compromised are put at greater risk of identity theft.
We logged 123 confirmed ransomware attacks on schools, universities, and other educational institutions in 2023, compromising 5,759,199 records. The average ransom was $495,000.
The attack on Saint Xavier is the third-largest in 2023 based on number of compromised records. Shoreline Community College paid $228,000 after a March 2023 attack by Royal compromised 400,000 records. Vice Society attacked Lakeland Community College in March 2023, which notified 286,000 victims.
In 2024 so far, we tracked 47 confirmed ransomware attacks on US education, compromising 2.8 million records. Recently confirmed attacks include those on Mastery Schools, Texas Tech University Health Sciences Center, and Cape Cod Academy.
About Saint Xavier University
Saint Xavier University is a Catholic university in Chicago, IL. Its total enrollment consists of 3,497 students.