Cyber Incident Victim: McMurry University

McMurry University, an educational institution based in Abilene, Texas, experienced a cybersecurity incident involving an external system breach through hacking. The breach occurred on June 18, 2020, but remained undetected until November 15, 2024, resulting in a four-year gap between compromise and discovery. Unauthorized actors accessed systems containing sensitive personal information, affecting 17,881 individuals nationwide, including five residents of Maine. The compromised data included personal identifiers combined with other sensitive information, though the specific data elements beyond names were not detailed in the notification. University President Sandra Harper formally reported the incident to authorities, confirming the institution's direct involvement in managing the breach response.

McMurry University initiated written notifications to all affected individuals on December 23, 2024, providing Maine residents with a dedicated breach notice document titled "McMurry_University_-_Notice_of_Data_Event_-_ME.pdf". The university offered impacted individuals 12 months of identity theft protection services through IDX, a subsidiary of ZeroFox, though the specific protections included were not enumerated beyond this partnership. No prior breach notifications had been issued by the institution within the preceding 12-month period. The delayed discovery timeline suggests sustained unauthorized access to university systems, though the containment methods and forensic investigation details were not disclosed in the regulatory filing. The incident represents one of the few documented cases where breach detection occurred more than four years post-compromise, highlighting challenges in identifying sophisticated intrusions within educational networks.