Cyber Incident Victim: Clackamas Community College
Date:
Oct 2025
Location:
United States of America
Summary
Clackamas Community College faces a class-action lawsuit alleging that it failed to protect student data by storing names, dates of birth, tax identification numbers, passport numbers, financial accounts and health information in an unencrypted, Internet-accessible environment. The lawsuit claims that an unauthorized third party accessed college files and that the institution delayed notifying affected individuals, only sending notices after the breach was discovered. The college stated that suspicious activity was identified on a user account, that it reset the account, contained the network and hired a forensic security firm to investigate. It offered those impacted one year of credit monitoring and identity theft protection. The suit seeks compensatory and punitive damages and requests that the college provide at least ten years of credit monitoring for those harmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A class‑action lawsuit was filed in federal court in Portland on March 2, 2026, alleging that Clackamas Community College failed to protect student data by storing it in an unencrypted, Internet‑accessible environment. The suit claims that the breach exposed sensitive information including names, dates of birth, tax identification numbers, passport numbers, financial account details and health information. According to the complaint, an unauthorized third party accessed college files in late October, yet the college did not begin notifying affected individuals until January 2026. The named plaintiff, Aidan Zahn, reported receiving a significant increase in spam calls that he attributes to the data exposure. The lawsuit states that at least 100 individuals are part of the alleged class and that three similar suits filed against the college since the start of the year are likely to be consolidated before Magistrate Judge Jolie A. Russo. The college’s attorney, Curt Roy Hinelin, was given until mid‑March to respond to the allegations after requesting additional time to investigate.
The college’s own notice, sent to impacted individuals on January 8, 2026, described a timeline of detection and response. It stated that suspicious activity tied to one of the college’s computer network user accounts was identified on September 10 and the account was promptly reset. Additional suspicious activity was discovered on October 24, prompting the school to work on containing its network to prevent widespread interference. Following these findings, the college engaged a forensic security firm to investigate the incident and ensure the security of its network. The investigation concluded that an unauthorized party accessed a small number of systems and acquired files from those systems in late October. In response, the college offered affected individuals the opportunity to enroll in one year of credit monitoring and identity theft protection services. The lawsuit seeks unspecified compensatory and punitive damages and requests that the court order the college to provide no less than ten years of credit monitoring for those impacted.