Cyber Incident Victim: Cambridge College
Date:
Feb 2023
Location:
United States of America
Summary
Cambridge College experienced a system compromise from unauthorized external hacking over a period in early 2023, exposing names and Social Security numbers of over 30,000 individuals, including nearly 100 Maine residents. The breach was discovered several months later, prompting written notifications to affected parties and an offer of one-year complimentary credit monitoring services through Equifax to mitigate potential identity theft risks stemming from the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A cybersecurity incident impacted Cambridge College, an educational institution located in Charleston, Massachusetts, involving unauthorized access to personal information between February 20, 2023, and March 2, 2023. The breach was discovered on July 6, 2023, over four months after the unauthorized activity concluded, indicating a delayed detection timeline. Hackers breached external systems operated by the college and acquired sensitive personal data, specifically names paired with Social Security Numbers. The attack affected 30,368 individuals nationwide, including 96 residents of Maine. The college’s legal representative, privacy counsel Colin M. Battersby of the law firm McDonald Hopkins, submitted a breach notification to the Maine Attorney General’s office confirming these details. The compromised data exposed victims to heightened risks of identity theft and financial fraud due to the sensitivity of Social Security Numbers in combination with personally identifiable information. No evidence suggested prior breach notifications within the preceding 12 months, nor did the number of affected Maine residents trigger mandatory alerts to consumer reporting agencies under state law.
Cambridge College responded to the breach by initiating written notifications to all impacted individuals on August 4, 2023, seven months after the initial intrusion and 29 days following discovery. The notices included an offer of complimentary identity theft protection services through Equifax® Credit WatchTM Gold, providing one year of credit monitoring to individuals whose Social Security Numbers were exposed. The college’s breach notice to Maine residents was formally documented in a PDF file labeled SSN_Proof_[redacted]_32326194v1.pdf and submitted through legal counsel as part of compliance with state disclosure requirements. No additional details regarding the intrusion methodology, specific systems compromised, or forensic mitigation measures were disclosed in the Attorney General filing. The remediation effort focused exclusively on consumer notification and credit monitoring rather than public elaboration of technical containment steps or internal security enhancements. The delayed discovery window between breach conclusion and detection highlighted potential vulnerabilities in the college’s threat monitoring capabilities during the incident period.