Cyber Incident Victim: University of Kentucky
Date:
Feb 2023
Location:
United States of America
Summary
The incident involved unauthorized access to sensitive data at a university, where threat actors exfiltrated personal information of students and employees. Stolen data included admissions records containing names, Social Security numbers, dates of birth, addresses, email addresses, and telephone numbers, along with complete W-2 forms for 393 employees revealing tax details and earnings. Attackers publicly leaked executive leadership tax documents and a job applicant's information as proof of compromise but withheld student data from public release. The ransomware group responsible threatened further dissemination or sale of remaining data, creating significant risks of identity theft and financial fraud for affected individuals. No official acknowledgment or incident notice appeared on the institution's website at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 15, 2023, the AvosLocker ransomware group publicly listed California Northstate University as a victim on their data leak site. The threat actors claimed to possess extensive student admissions data containing names, Social Security numbers, dates of birth, addresses, email addresses, and telephone numbers. They additionally asserted access to all college employee W-2 forms for 2022. As proof of their claims, AvosLocker published three specific documents: the 2022 W-2 statements for the university's President and CEO, the Vice-President and CFO, and personal information belonging to a job applicant. They also released a file containing 393 employee W-2 forms from 2022, which included sensitive details such as employee names, addresses, Social Security numbers, wage information, and federal and state tax withholding amounts. This type of data is highly valuable for financial crimes including tax refund fraud and identity theft. Notably, the group did not publicly release any student-related data despite asserting its possession, leaving the full scope of potentially compromised student information unresolved.
The university had no public statement regarding the incident on its website as of the reporting date. DataBreaches.net attempted to contact university leadership through administrators and a student newsletter representative but could not verify receipt of inquiries. AvosLocker's leak site posting included taunts directed at the institution regarding its cybersecurity insurance and failure to protect stakeholders. The publication of executive and employee tax documents created immediate risks for affected individuals, necessitating credit monitoring and fraud prevention measures. The attackers did not disclose the total volume of exfiltrated data or whether they retained additional employee or student records for future leaks or sales. Financial and identity fraud risks persisted for victims due to the exposed Social Security numbers and wage information. The incident's operational disruption to university systems and any potential ransom demands remained unconfirmed in available sources.