Cyber Incident Victim: Pacific Union College

On or around April 7, 2023, Pacific Union College (PUC) first experienced a significant cybersecurity issue that impacted the institution's internal networks, phone systems, and web services. The college publicly acknowledged this disruption on its website on that same date, though the initial notice did not specify the nature or cause of the incident. The college commenced an investigation into the event to determine its full scope and origin. For several weeks following the initial disclosure, the investigation was ongoing as the college worked to understand the extent of the systems affected and any potential data exposure.

By May 3, 2023, the college's investigation had progressed sufficiently to confirm the cause of the cybersecurity issue. On that date, PUC posted an update on its website publicly acknowledging that the incident was, in fact, a ransomware attack. Despite confirming the malicious encryption of its systems, the college's update included a statement that there was no evidence any personal information had been compromised as a result of the attack. This assertion formed the core of the college's official position regarding data exposure at that time.

Concurrently, external reporting provided a conflicting account of the incident's impact. The ransomware group Trigona claimed responsibility for the attack against Pacific Union College. A representative of the Trigona group communicated with journalists from databreaches.net, confirming their involvement. The threat actors stated that they had successfully exfiltrated approximately 120 gigabytes of data from PUC's systems prior to deploying the ransomware. According to the hackers' claims, this stolen data contained a wide array of sensitive personal information pertaining to current and former students, faculty, donors, and parents.

The specific data types allegedly exfiltrated were detailed by the Trigona representative and included individuals' full names, addresses, dates of birth, and complete Social Security numbers. Furthermore, the hackers claimed the dataset contained more sensitive information such as criminal history and marital status. The ransomware group also disclosed that they had been engaged in negotiations with Pacific Union College for a period of approximately one month following the attack. These negotiations ultimately terminated without a resolution, leading the threat actors to pursue alternative methods of monetizing the stolen data.

The Trigona ransomware group operates with a distinct methodology compared to many other ransomware operations. While typical groups often threaten to publicly release stolen data if a ransom is not paid, Trigona is known for privately selling the exfiltrated information to third parties. This approach can make it exceptionally difficult, if not impossible, for the victim organization to definitively ascertain what specific data was taken or to whom it was subsequently sold, as the information may not appear on public forums or leak sites.

Pacific Union College's public denial of a data breach, despite the ransomware group's claims, indicates that the internal investigation remained ongoing. The college had not yet reached a final conclusion regarding whether personal information was actually accessed and acquired. The process of forensic analysis following a ransomware attack can be complex and time-consuming, often requiring specialized external expertise to determine precisely what data was affected. Until such an investigation could conclusively prove that personal information was compromised, the college maintained its position that no evidence of a data breach existed.

The potential impact of the incident is significant given the types of information allegedly involved. The exposure of Social Security numbers, dates of birth, and criminal history creates a substantial risk of identity theft and fraud for the affected individuals. The scope of the potential breach appears to be broad, encompassing not only current students and employees but also former students, faculty, donors, and parents, suggesting a wide range of institutional data was stored on the affected networks.

As a result of the confirmed ransomware attack, Pacific Union College was faced with the operational consequences of system encryption. The disruption to internal networks, phone systems, and web services would have impeded normal college operations, affecting administrative functions, communication, and potentially academic activities. Restoring these systems from backups or through decryption would have been a primary focus of the incident response efforts following the attack.

Looking forward, the college has a regulatory obligation to provide formal notification to any individuals whose personal information is confirmed to have been compromised. Once the investigation is completed, if evidence is found that personal information was indeed accessed and acquired, Pacific Union College will be required to send out data breach notification letters to all affected parties. These letters would detail the nature of the information exposed and would likely include offers of credit monitoring or identity protection services to mitigate potential harm. As of the latest reports, these data breach letters had not yet been sent out, indicating the investigation into what data was affected was still in progress. The college's response will continue to evolve as the full facts of the incident are established through the ongoing forensic investigation.