Cyber Incident Victim: California Northstate University
Date:
Feb 2023
Location:
United States of America
Summary
A ransomware group compromised California Northstate University, exfiltrating sensitive student admissions data and employee tax records. The attackers leaked 2022 W-2 forms for 393 employees—including executives—containing names, Social Security numbers, addresses, and financial details, enabling risks of identity theft and tax fraud. While the group claimed possession of student data such as birthdates and contact information, they did not publicly release those records. The university had not publicly acknowledged the incident at the time of reporting, leaving the full scope of impacted individuals and potential additional data exposures unclear.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 15, 2023, the ransomware group AvosLocker listed California Northstate University on its data leak site, claiming to have stolen sensitive student and employee data. The group asserted possession of student admissions records containing names, Social Security numbers, dates of birth, addresses, email addresses, and telephone numbers, along with all college employee W-2 forms for 2022. As proof, AvosLocker publicly released a sample of documents including the 2022 W-2 statements for the university's President and CEO, Vice-President and CFO, and a job applicant's information, accompanied by a file containing 393 employee W-2 forms. These tax documents exposed employees' full names, addresses, Social Security numbers, wage information, and detailed federal and state tax withholding data. The threat actors criticized the university's cybersecurity insurance decisions in their post, implying the institution failed to adequately protect sensitive information despite having coverage. Notably, AvosLocker did not publish any of the student data it claimed to possess at the time of the listing, nor did it disclose the full scope of exfiltrated employee records beyond the W-2 forms.
The compromised W-2 data created significant risks for identity theft and tax fraud against affected employees, as the exposed information enables criminals to file fraudulent tax returns or establish fake credit profiles. AvosLocker's public statement suggested the university had ignored prior communications about the breach, though no specific ransom demands or negotiation details were disclosed in the leak site posting. At the time of the incident's public exposure, California Northstate University had not published any official notice about the cyberattack on its website, and DataBreaches.net reported unsuccessful attempts to reach the institution's top executives for comment. The university's administrators and a student newsletter representative received inquiries about the breach but no institutional response was documented in the available sources. The threat actors left open the possibility of selling or leaking additional stolen data, maintaining uncertainty about further exposure of student records or supplementary employee information beyond the already released tax documents. Affected individuals faced potential long-term financial security consequences requiring proactive monitoring of credit and accounts.