Cyber Incident Victim: Merced College

On November 3, 2022, Merced College (MCCD) discovered that portions of its computer systems had been encrypted, prompting an immediate investigation into the incident. The investigation determined that the encryption resulted from a malware attack, with unauthorized access to the college's IT network occurring between October 25, 2022, and November 3, 2022. During this nine-day period, the attacker gained access to files containing confidential information belonging to students and faculty members. MCCD's forensic review confirmed that the compromised data included personally identifiable information such as names and addresses, though the specific details varied among affected individuals. The college did not publicly disclose the exact number of impacted parties or the full scope of accessed systems beyond confirming the presence of malware-induced encryption. No evidence suggested data misuse beyond the initial access and encryption event.

Merced College completed its review of affected files in early 2023, identifying all individuals whose information was exposed during the breach. On March 9, 2023, the institution simultaneously filed a formal notice with the California Attorney General's office and initiated mailing data breach notification letters to impacted students and faculty. The notifications advised recipients about the potential exposure of their personal information but did not specify whether financial or academic records were compromised. As a public community college serving approximately 15,000 students with 271 employees and $29 million annual revenue, the incident disrupted administrative operations and exposed sensitive data across its academic programs. The college's response focused on breach disclosure and individual notifications rather than public disclosure of technical remediation measures or third-party forensic partnerships. No ransomware demands or explicit attacker motives were referenced in the official filing.