Cyber Incident Victim: Butler County Community College
Date:
Nov 2021
Location:
United States of America
Summary
Butler County Community College experienced a ransomware attack by the Vice Society threat group, marking its second such incident in approximately two years. The attackers exfiltrated and leaked sensitive data, including personnel records with payroll details, student recommendation letters, disability accommodation forms, and personal documents such as medical records and a marriage certificate. While the college initially reported no impact on personal information in the prior incident, this breach compromised identifiable student and employee data. Vice Society confirmed they were not responsible for the earlier attack, which had occurred before the group's emergence. The compromised data appeared on the dark web, prompting concerns over the exposure of sensitive institutional and personal information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Butler County Community College (BC3) in Pennsylvania experienced a ransomware attack beginning on November 19, 2021, which was publicly disclosed by the institution on November 28. The Vice Society ransomware group claimed responsibility for the attack and subsequently leaked stolen data on their dark web site. This marked the second ransomware incident affecting BC3 within approximately two years, following a February 2020 attack that the college had previously stated did not compromise personnel or student information. Analysis of the 2021 data dump revealed the exposure of sensitive personal information, including recommendation letters for former students and employees, tax and payroll documents for some staff members, accommodation forms for students with disabilities, a letter of medical necessity for breast reduction surgery, and a marriage certificate. Preliminary review of the leaked materials indicated the absence of major personnel or student databases, though the presence of these individual files containing personally identifiable information confirmed unauthorized access to institutional records.
BC3 issued an initial statement about the November 2021 incident on November 28 and provided a more detailed update on December 8, though no further public updates were available at the time of reporting. The college faced scrutiny regarding both the security practices that allowed retention of sensitive historical documents and potential connections between the 2020 and 2021 incidents. Vice Society, when contacted by investigators, denied involvement in the earlier 2020 attack and noted their emergence as a group in January 2021—more than a year after BC3's first ransomware event. The threat actors did not clarify whether vulnerabilities from the initial attack facilitated the 2021 breach. The exposure of medical, financial, and disability-related documents created potential risks for affected individuals, though the full scope of compromised records remained under assessment. BC3's response efforts included investigating the attack timeline and coordinating with cybersecurity professionals to address the breach.