On January 9, 2024, the East Valley Institute of Technology (EVIT) experienced a significant cybersecurity incident. This breach, now known as the EVIT data breach, saw unauthorized access to the institution’s network, potentially compromising the personal information of over 200,000 individuals. With 48 categories of sensitive data at risk, the breach has raised concerns among students, parents, and faculty about the security of their personal information.
What is the EVIT data breach?
The EVIT data breach is a significant cybersecurity incident that targeted the East Valley Institute of Technology (EVIT), a career training school. On January 9, 2024, threat actors managed to infiltrate EVIT’s network, gaining unauthorized access to sensitive data. This breach involved roughly 48 different categories of personally identifiable information (PII), potentially impacting over 200,000 individuals. The compromised data included various types of sensitive information such as Social Security numbers, student ID numbers, dates of birth, home addresses, and even medical and financial records. Despite the severity of the breach, EVIT has assured that this attack had a limited impact on its operations and has taken extensive measures to secure its systems and protect the affected individuals.
When did the EVIT data breach occur?
The EVIT data breach occurred on January 9, 2024. On this date, EVIT discovered that it had become the target of a sophisticated cyber attack. The incident involved unauthorized access to the institution’s network, which subsequently led to the potential exposure of a vast amount of sensitive information belonging to current and former students, faculty, and parents. In response to the breach, EVIT promptly took corrective actions to investigate the incident, secure its systems, and notify the appropriate authorities. The institution also engaged third-party cybersecurity experts to conduct a thorough investigation and ensure that all vulnerabilities were addressed.
How many individuals were affected by the EVIT data breach?
The EVIT data breach impacted a significant number of individuals, with records indicating that 208,717 people were affected. This group includes current and former students, faculty members, and parents. The compromised information varied by individual, encompassing up to 48 different categories of personally identifiable information (PII). While not all data was compromised for every individual, the breach’s scope underscores the seriousness of the incident. EVIT has since taken steps to notify all potentially impacted individuals and is offering identity theft protection services through IDX. These services include 12 months of CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed identity theft recovery services, aiming to mitigate the potential risks posed by the breach.
Understanding what data breach is in 4 steps
What types of information were compromised in the EVIT data breach?
The EVIT data breach involved the potential exposure of a wide array of personally identifiable information (PII). Specifically, 48 categories of sensitive data were at risk, including but not limited to:
- Class lists
- Student ID numbers
- Dates of birth
- Race/ethnicities
- Grades
- Course schedules
- Home phone numbers
- Email addresses
- Home addresses
- Parent/guardian names
- Transcripts
- Individualized education plans (IEP) or 504 plans
- Social Security numbers
- Driver’s licenses or State IDs
- Financial aid information
- Class ranks
- Places of birth
- Taxpayer identification numbers
- Tribal IDs
- Account numbers and routing numbers
- Health insurance information
- Disciplinary files
- Medical information, including diagnosis and treatment details
- Passport numbers
- Username and password pins or login information
- Biometric data
- Military ID numbers
This diverse set of data points underscores the breadth of the breach and the potential impact on affected individuals.
How did the EVIT data breach happen?
The EVIT data breach occurred when threat actors gained unauthorized access to the institution’s network on January 9, 2024. This cyber attack involved sophisticated methods to infiltrate EVIT’s systems, allowing the attackers to potentially access and compromise a vast amount of sensitive information. Despite the breach, EVIT managed to limit the operational impact, immediately initiating an investigation and taking steps to contain and remediate the threat. The institution has since worked with third-party cybersecurity experts to conduct a thorough review and bolster its defenses against future attacks.
What steps has EVIT taken to secure its systems after the data breach?
Following the EVIT data breach, the institution implemented a comprehensive range of measures to secure its systems and protect against future incidents. These steps include:
- Locking down VPN access
- Deploying Endpoint Detection and Response (EDR) software
- Implementing 24×7 monitoring for potential threats
- Revoking privileged user access for parents or guardians
- Changing all service account passwords and user passwords
- Revoking domain trust and performing domain cleanup
- Rebuilding or replacing nineteen virtual servers to ensure none of the prior compromised servers were brought back onto the network
Additionally, EVIT reported the incident to the three largest nationwide consumer reporting agencies and appropriate authorities. The institution has also engaged third-party experts to assist in hardening its network infrastructure and enhancing data protection protocols.
Has any of the compromised data from the EVIT breach been published online?
As of the latest updates provided by EVIT, there has been no discovery of any compromised data being published online. The institution has taken extensive measures to monitor for such activity and remains vigilant in protecting the sensitive information of those affected by the breach.
What should individuals do if they are affected by the EVIT data breach?
Individuals affected by the EVIT data breach are advised to take immediate steps to protect themselves from potential harm. Recommended actions include:
- Closely monitoring financial accounts for any suspicious activity.
- Placing a credit freeze and/or fraud alert on their credit file by contacting one of the three major credit bureaus (Equifax, Experian, TransUnion).
- Filing an identity theft report with the Federal Trade Commission (FTC) at IdentityTheft.gov.
- Checking credit reports periodically to spot any issues early. Reports can be obtained from www.annualcreditreport.com or by calling 877-322-8228.
EVIT is offering affected individuals identity theft protection services through IDX, which includes 12 months of CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed ID theft recovery services.
How can I find out if my information was compromised in the EVIT data breach?
To determine if your information was compromised in the EVIT data breach, you can refer to the notification letter sent by EVIT, which details the incident and the categories of information potentially affected. Additionally, EVIT has posted a notice on their website for impacted individuals. If you have further questions or need assistance, you can contact EVIT directly at [email protected]. They have also been working diligently to send individual notices to those identified as potentially impacted by the breach.
Image credits: Kerem Gülen/Midjourney
