Cyber Incident Victim: Kentucky Wesleyan College

Kentucky Wesleyan College (KWC) experienced a network security incident that disrupted access to its files and systems, discovered on or around September 1, 2020. The college restored system availability following the incident and implemented additional security measures, though it did not publicly disclose technical details regarding the attack vector or intrusion methods. While KWC found no direct evidence of personal information misuse, it acknowledged that unauthorized actors potentially accessed sensitive data belonging to faculty, students, staff, and other affiliated individuals. The compromised information included names, Social Security numbers, birth dates, addresses, driver’s license numbers, and financial aid award details. In limited cases, additional personal identifying information (PII) such as taxpayer identification numbers, email or usernames with passwords or security questions, IRS-issued identity protection PINs, and biometric data like fingerprints may have been exposed.

KWC delayed public notification until March 20, 2021, approximately six months after detecting the incident. The college established a dedicated call center for inquiries and mailed formal notices to 31,796 potentially affected individuals. These postal notifications offered 24 months of complimentary credit monitoring and identity theft restoration services through Cyberscout, though this mitigation offering was omitted from KWC’s initial website announcement and FAQ documentation. The college did not elaborate on the reasons for the six-month gap between discovery and notification or provide specifics about containment procedures. The incident implicated financial aid data, which falls under Gramm-Leach-Bliley Act (GLBA) safeguards, though no regulatory enforcement actions were publicly confirmed in relation to the breach.