On September 4, 2022, current and former students at Savannah College of Art and Design (“SCAD”) began reporting receiving data breach letters indicating that the school had suffered what appeared to be a ransomware attack. SCAD has not yet posted an official notice of infringement on its website and has not filed any notice of infringement with any state government entity; however, reports from students on social media indicate that the school began sending out data breach letters following the incident. Based on the most recent information, it appears that the data security incident has compromised the names, social security numbers, and dates of birth of some current and former students. Although SCAD has not publicly posted about the data breach, it appears that the school recently began sending out data breach notification letters to affected individuals.
If you receive a data breach notification, it is essential that you understand what is at risk and what you can do to fix it. To learn more about how to protect yourself from fraud or identity theft and what your legal options are following the Savannah College of Art and Design data breach, please see our recent article on the subject. here.
What we know about the Savannah College of Art and Design data breach
News of the SCAD data breach continues to grow and the school has yet to issue an official public statement on the incident. However, several current and former students have taken to Reddit to share letters they believe were sent by SCAD following the data breach. Based on these letters, on August 22, 2022, SCAD first detected a possible data security incident. In response, the school secured its systems, contacted law enforcement, and brought in an outside cybersecurity firm to investigate the incident.
The SCAD investigation confirmed that an unauthorized person gained access to the SCAD computer network and acquired copies of certain files from its systems on August 22, 2022.
After discovering that sensitive consumer data was accessible to an unauthorized party, the Savannah College of Art and Design then reviewed the affected files to determine what information had been compromised and which consumers had been affected. Although the information disclosed will vary depending on the individual, it may include your name, social security number, and date of birth.
News of the SCAD data breach was verified by a third-party data breach news agency, which spoke to the hackers who claim to have carried out the attack. According to this source, the hackers exfiltrated 69,000 files, one of which contained the records of 60,000 students, including their student numbers, first and last names, student numbers, social security numbers, class years, local phone numbers, mailing addresses, email addresses, fathers names and birth dates.
While some current and former students have reported receiving data breach notifications from SCAD, the school has yet to file an official breach notice. Thus, it is not known how many students were affected by the recent incident.
More information about Savannah College of Art and Design
Founded in 1978, Savannah College of Art and Design is a private art school with campuses in Savannah, Georgia; Atlanta, Georgia; and Lacoste, France. SCAD offers more than 100 study programs, including prop design, advertising, animation, architectural history, art history, creative business direction, management design, playwriting, equestrian studies, fashion, film and television, furniture design and more. The school’s current student body is approximately 14,000 students, of which approximately 17% are international students. Savannah College of Art and Design employs more than 1,900 people and generates approximately $36 million in annual revenue.
Ransomware attacks remain one of the most common types of cyberattacks
For those familiar with the data breach world, “ransomware attack” is a familiar term. Ransomware attacks, along with email phishing attacks, are the two most common types of cyberattacks. For example, according to the Identity Theft Resource Center, there were 321 ransomware attacks in 2021, compared to 158 in 2020. Each attack has the capacity to affect tens of thousands of people. To put that into perspective, the Identity Theft Resource Center reports that over 41 million people fell victim to ransomware attacks in 2021 alone.
Ransomware attacks are not a new phenomenon; However, in recent years, hackers have shown renewed interest in this particular type of attack. This is largely because cybercriminals are now able to specifically target the most valuable types of information, which means they are more effective. Moreover, the way cybercriminals carry out these attacks has also changed over time, making them more dangerous than ever.
Originally, a ransomware attack involved a hacker somehow installing malware on a victim’s device or computer network. Often this was done in conjunction with an email phishing attack or by placing malicious code on the back-end of an organization’s website. The malware would encrypt data on the victim’s device, preventing them from logging in. Instead, when the victim attempted to log into their computer, they were greeted with a message from the hackers demanding that they pay a ransom if they wanted. regain access to his computer.
However, in recent years, hackers have started threatening to publish data they have obtained from a company on the dark web if the ransom is not paid. From the hacker’s perspective, this adds to a company’s incentive to pay the ransom. In fact, according to third-party reports, the hackers responsible for the SCAD data breach didn’t even bother to encrypt the school’s computer system and only exfiltrated data. This indicates that the ransomware gang responsible for the attack felt that simply threatening to release the information gave them enough leverage to get the school to pay the demanded ransom.
Given the frequency and risk of these attacks, it is important for consumers and businesses to understand what ransomware attacks are, how to prevent them, and what can be done after them to reduce the worst consequences, including identity theft and other fraud. . It is also essential that anyone who experiences a data breach takes the necessary steps to protect themselves.