Cyber Incident Victim: Suffolk University

Suffolk University experienced a cybersecurity incident involving unauthorized access to its computer systems on July 9, 2022. The university detected unusual activity and responded by securing its systems and initiating an investigation with assistance from cybersecurity professionals. This investigation confirmed that an unauthorized party had infiltrated the university's network and exfiltrated sensitive student data. The compromised information included names and Social Security numbers, though the specific data elements varied among affected individuals. Suffolk University completed its forensic review to identify the scope of impacted records and determined that confidential information had been accessed or stolen during the intrusion. The breach remained undisclosed to the public until May 24, 2023, when the university filed a formal notice with the Maine Attorney General’s office, disclosing that over 53,000 individuals were affected.

The university began mailing individualized data breach notifications to impacted students on May 24, 2023, nearly eleven months after the initial intrusion. These notifications outlined the types of exposed personal information but did not specify technical details about the attack methodology or whether ransomware or malware was involved. Suffolk University’s filing confirmed the breach stemmed from a 2022 cybersecurity event but provided no additional information about system vulnerabilities, threat actor attribution, or containment measures beyond securing the compromised systems. The incident exposed highly sensitive identifiers, significantly elevating risks of identity theft and fraud for affected students. No academic, financial, or medical records were mentioned in the disclosure. The university’s public communications focused on breach notifications and regulatory compliance rather than remediation efforts or security enhancements implemented post-incident.