Cyber Incident Victim: Xavier College

In June 2022, Xavier College experienced a cyberattack targeting a key administrative staff member’s email account, resulting in unauthorized access to sensitive personal data. The school initially assessed that only 45 students were affected and chose not to notify the broader community, citing no evidence of misuse or public disclosure intentions at the time. By late October 2022, the college became aware that the attackers threatened to publish the stolen data, prompting a reassessment of the breach’s scope. This review revealed that over 100 current and prospective students and their family members had compromised information, significantly exceeding initial estimates. The stolen data included birth certificates, visa applications, parenting arrangements, financial details, and health information for a small subset of individuals. On November 22, 2022—four months after the breach—the school issued notifications to specifically affected individuals while also alerting the wider community about the potential exposure.

The compromised email account contained information related to admissions, fundraising, scholarships, pastoral care, and family finances. Xavier College emphasized that its core network, learning platforms, and database systems remained secure and that no academic records were accessed or exfiltrated. Immediate notifications were sent to individuals whose data was confirmed as stolen, with the school citing evolving risk parameters as the reason for the delayed broader disclosure. The institution did not disclose technical details about the attack vector or the identity of the threat actors. Impacts included potential exposure of highly sensitive documents, though the school provided no evidence confirming whether attackers had executed their threat to publish the data by the time of its November disclosure. Response actions focused on containment of the breached account and reassessment of affected individuals rather than public technical remediation measures.