Cyber Incident Victim: University of Maryland, College Park
Date:
Feb 2023
Location:
United States of America
Summary
California Northstate University suffered a ransomware attack by AvosLocker, leading to unauthorized access and leakage of sensitive employee W-2 forms containing names, Social Security numbers, salaries, and tax details. The attackers publicly disclosed executive personnel records and hundreds of staff documents but did not release student admissions data they claimed to possess. Despite the exposure of information valuable for identity theft or tax fraud, the institution had not issued any public acknowledgment or notifications regarding the incident at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 15, 2023, the ransomware group AvosLocker publicly listed California Northstate University as a victim on their data leak site. The group claimed to possess extensive student admissions data containing names, Social Security Numbers, dates of birth, addresses, email addresses, and telephone numbers, alongside comprehensive employee payroll information. As substantiation, AvosLocker published 2022 W-2 tax forms for 393 university employees, including those belonging to the institution’s President and CEO, Vice-President and CFO, and a job applicant. These documents exposed sensitive details such as Social Security numbers, wages, tax withholdings, and residential addresses. The threat actors taunted the university in their announcement, questioning its decision to obtain cyber-insurance while allegedly failing to adequately protect stakeholder data and suggesting negotiations had been ignored. Notably, while AvosLocker asserted access to student records, they selectively leaked only employee tax documents and did not disclose the volume or nature of additional exfiltrated data beyond the sample W-2s. No timeframe for the initial breach or technical details regarding intrusion methods, affected systems, or data exfiltration channels were provided in the disclosure.
The incident exposed employees to heightened risks of identity theft and tax fraud due to the publication of W-2 data, which remains highly valuable for financial crimes. At the time of public reporting, California Northstate University had not issued any formal breach notification via its website or public channels, and DataBreaches.net confirmed the absence of cybersecurity incident statements on the institution’s official platforms. Attempts to obtain direct confirmation from university leadership were unsuccessful, as contact information for key executives was unavailable, though inquiries were sent to administrative staff and a student newsletter representative. AvosLocker did not clarify whether remaining data would be released publicly or sold to other malicious actors, leaving both students and employees uncertain about the full scope of potential exposure. The lack of publicly observable containment measures, recovery actions, or communication strategies from the university created ambiguity regarding institutional response efforts.