Cyber Incident Victim: California State University
Date:
Feb 2023
Location:
United States of America
Summary
A ransomware group leaked sensitive employee data from California Northstate University, including W-2 forms containing names, Social Security numbers, addresses, and tax information for 393 staff members, with specific executives' records publicly exposed. The attackers also claimed possession of student admissions data—such as SSNs, dates of birth, and contact details—though this information was not released. The institution had not publicly acknowledged the incident or posted any breach notifications at the time of reporting, leaving potential impacts on students and employees unresolved.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 15, 2023, California Northstate University appeared on the AvosLocker ransomware group’s data leak site with threat actors claiming to have stolen sensitive student and employee data. AvosLocker’s listing asserted possession of student admissions records containing names, Social Security numbers, dates of birth, addresses, email addresses, and telephone numbers, alongside comprehensive employee tax documentation. As proof of the breach, the group publicly released the 2022 W-2 tax forms for the university’s President and CEO, Vice-President and CFO, and a job applicant, along with a separate file containing W-2 forms for 393 employees. These documents exposed highly sensitive information including employee names, addresses, Social Security numbers, wage details, and tax withholding amounts—data directly enabling identity theft and tax fraud. AvosLocker taunted the university in their post, questioning its cybersecurity insurance decisions and warning that ignoring the situation would not resolve it, though they did not disclose the full scope of exfiltrated data or whether student records were extracted beyond admissions information.
The immediate impact centered on financial fraud risks for affected employees, given the exposure of W-2 data historically exploited for fraudulent tax filings. While AvosLocker did not release any student data samples despite claiming access to admissions records, the threat of future leaks or sales of unreleased information created ongoing uncertainty for both students and staff. No evidence suggested the university had publicly acknowledged the incident by the article’s publication date, as its website displayed no breach notifications. DataBreaches.net attempted to contact senior administrators, including the CEO and CFO, but could not verify successful outreach beyond emails sent to unspecified university administrators and a student newsletter representative. The absence of confirmed containment measures or institutional responses left mitigation responsibilities largely with individuals, who faced potential long-term credit monitoring and identity protection requirements due to the exposure of immutable identifiers like Social Security numbers.