Cyber Incident Victim: Savannah College of Art and Design
Date:
Aug 2022
Location:
United States of America
Summary
The Savannah College of Art and Design experienced a cyberattack involving unauthorized data exfiltration by the Avos Locker group, compromising sensitive information of current and former students and staff. Exfiltrated files included personnel records, student data with personal identifiers such as Social Security numbers, addresses, and dates of birth, as well as behavioral and disciplinary records spanning many years. Attackers provided a sample listing over 69,000 files, including a spreadsheet containing more than 60,000 student records. While the institution engaged in limited ransom negotiations, its compliance with notification obligations under multiple regulatory frameworks—including FERPA, GDPR due to its France campus, and Georgia state law—remained unclear. The college later issued a public statement regarding the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around August 25, 2022, the Avos Locker ransomware group conducted a cyberattack against Savannah College of Art and Design (SCAD), resulting in significant data exfiltration without network encryption. The attackers claimed to have stolen a large volume of data approximately two weeks prior to their public disclosure, providing a sample file list containing over 69,000 files. These files included personnel records, student information, and operational documents, with filenames indicating sensitive content such as passports, payroll data, bank statements, personal statements, and recommendation letters. A notable component of the exfiltrated data was a spreadsheet containing more than 60,000 records of current and former students, exposing identifiers including full names, student numbers, Social Security Numbers (primarily for students enrolled between 2009 and 2015), contact details, addresses, email addresses, parental information, and dates of birth. Additional compromised files included over 15,000 behavioral and disciplinary records dating back to 2005, some of which linked identifiable student information to specific incidents through associated identifiers like student IDs.
The attackers did not disclose their ransom demand but confirmed that SCAD engaged in limited negotiations, which Avos Locker characterized as an attempt to buy time rather than resolve the incident. SCAD did not respond to direct inquiries about the breach or its mitigation efforts. The incident raised complex notification obligations due to SCAD’s multinational operations and diverse student body. While the Family Educational Rights and Privacy Act (FERPA) governed student records, it did not mandate individual breach notifications, requiring only internal record annotations for non-directory information disclosures. Potential exposure of financial aid records could have triggered Gramm-Leach-Bliley Act (GLBA) requirements, though applicability remained unconfirmed. Georgia’s state breach notification laws and the GDPR further complicated compliance, as SCAD’s France campus subjected EU-based students to GDPR protections, while EU nationals studying in the U.S. fell outside its scope. By September 8, 2022, SCAD had issued a public statement regarding the breach through local news outlets, though its specific content and remediation actions were not detailed in available reports.