Cyber Incident Victim: 3rd Millennium Classrooms
Date:
Oct 2023
Location:
United States of America
Summary
A security breach at 3rd Millennium Classrooms, a vendor providing mandatory online alcohol and drug awareness training, exposed names and University email addresses of some students and alumni affiliated with the University of Virginia. The compromised system contained approximately 24,000 accounts linked to University emails, though the exact number of disclosed records remains unclear. While no University information systems were compromised, a small subset of accounts may have included the last four digits of Social Security Numbers, though full SSNs were not held by the vendor or provided by the institution. This marks the second cybersecurity incident impacting the university community within a short period, following an unrelated prior attack. Affected individuals were notified proactively, and the university advised vigilance against potential misuse of exposed information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 11, 2023, the University of Virginia’s Office of Student Affairs notified students and alumni via email that their personal information housed by 3rd Millennium Classrooms—a vendor providing mandatory online alcohol and drug awareness training—had been compromised in a security breach. The breach exposed names and University email addresses of individuals who accessed the platform, though the exact number of affected records remained undetermined. University Deputy Spokesperson Bethanie Glover confirmed the compromised system contained approximately 24,000 accounts linked to University email addresses, with precautionary notifications sent to all potentially impacted individuals. The University emphasized that its own information systems were not breached, as 3rd Millennium operated independently and only received student names and email addresses from the institution for training module access. No evidence suggested the vendor had solicited or stored full Social Security Numbers, though a limited number of accounts included the last four digits of SSNs, which the University stated it had not provided to 3rd Millennium.
The University’s response focused on transparency and risk mitigation, directing affected individuals to contact [email protected] if contacted by third parties regarding the breach. This incident followed a separate cyberattack on June 1, 2023, which had prompted widespread password resets for University accounts. While the 3rd Millennium breach did not compromise academic systems or full SSNs, it marked the second cybersecurity event affecting the University community within five months. The Office of Student Affairs reiterated that any additional personal data in 3rd Millennium’s possession would have been self-reported by users during module completion, limiting the scope of potentially exposed information to identifiers and partial SSN fragments in isolated cases. No further operational disruptions or attacker methodologies were disclosed in available communications.