Cyber Incident Victim: Paul Smiths College
Date:
Aug 2022
Location:
United States of America
Summary
An unauthorized individual potentially accessed Paul Smiths College's network, compromising personal information belonging to individuals associated with the institution. Following the incident, the college secured affected accounts, initiated an investigation with external cybersecurity experts, and later confirmed the exposure of limited personal data. While no evidence of misuse was identified, the institution offered complimentary credit monitoring through Experian IdentityWorks to affected parties. The response included recommendations for fraud alerts, security freezes, and credit report reviews to mitigate potential risks. The breach impacted residents across multiple states, with specific guidance provided to Rhode Island individuals under state identity theft laws.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 27, 2022, Paul Smith’s College detected unauthorized access to its network systems. The college immediately secured the compromised accounts and initiated an investigation with external cybersecurity professionals to assess the breach. This investigation involved extensive forensic analysis and manual document reviews spanning nearly five months. On January 26, 2023, investigators confirmed that the attacker had accessed a limited volume of personal information belonging to individuals associated with the institution during the August intrusion. While the specific data types were redacted in the notification letter, the college acknowledged the exposed information could be used for identity theft purposes. No evidence indicated actual misuse of the data at the time of disclosure.
In response, Paul Smith’s College offered affected individuals a complimentary one-year subscription to Experian IdentityWorks Credit 3B, providing credit monitoring across all three major bureaus, identity restoration support, and $1 million identity theft insurance. The enrollment window expired on a date specified in individual notifications, though the exact deadline was redacted in the public filing. The college also outlined steps for victims to independently place fraud alerts or security freezes with Equifax, Experian, and TransUnion, including detailed contact information and procedural requirements for each bureau. Notification letters included state-specific guidance for residents of Iowa, Maryland, North Carolina, New Mexico, New York, Oregon, and Rhode Island, with particular emphasis on Rhode Island’s Identity Theft Prevention Act of 2006. Recommendations extended to reviewing financial statements, obtaining free credit reports via AnnualCreditReport.com, and filing reports with the FTC or local law enforcement if suspicious activity emerged. The college acknowledged the incident’s impact on Rhode Island residents explicitly but did not disclose the total number of affected individuals or precise operational disruptions caused by the breach.