Cyber Incident Victim: BYU-Pathway Worldwide
Date:
Jun 2025
Location:
United States of America
Summary
BYU-Pathway Worldwide detected unauthorized network access resulting from a compromised vendor account that allowed an unknown third party to view personal data of some current and former online students associated with BYU-Idaho and Ensign College. The accessed information may include names, Social Security or national identification numbers, account identifiers, contact details, gender, marital status, religious affiliation, age, and educational course records. The organization promptly notified U.S. federal law enforcement, engaged cybersecurity experts to investigate, and confirmed no further unauthorized activity after the breach was contained. There is currently no evidence that the exposed data has been misused or published. In response, it has strengthened security controls around vendor access and continues to monitor its systems to protect student information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
BYU-Pathway Worldwide detected unauthorized network access after its information security team became aware of a potential security incident involving a vendor’s account. Evidence indicated that the vendor’s account had been compromised by an unknown third party, which allowed unauthorized access to certain systems within the BYU-Pathway environment. Upon discovery, BYU-Pathway immediately notified U.S. federal law enforcement authorities and began working with those authorities and third‑party cybersecurity experts to investigate the origin, nature, and scope of the incident. Forensic investigators have not detected any further unauthorized access or activity since June 24, 2025, and the identity of the unknown third party remains undetermined. The organization has stated that, at this time, there is no evidence that the accessed personal information has been used for fraudulent or other harmful purposes.
The breached systems contained personal data of current or previous online students served by BYU‑Pathway and its partner institutions BYU‑Idaho and Ensign College. The data that may have been accessed includes name, Social Security or national identification number if provided, account ID (but not password), contact information such as address and phone number, gender and marital status, religious affiliation if provided, age, and records of educational courses. BYU‑Pathway serves as a service provider for online students at BYU‑Idaho and Ensign College, so the affected individuals are those who have earned or are pursuing an online certificate or degree through those colleges. The organization has emphasized that the compromised data does not include passwords. No indication has been found that the information has been misused or published.
In response to the incident, BYU‑Pathway has collaborated with U.S. federal law enforcement, external cybersecurity experts, and its internal legal team to further enhance the security of its data. The organization has worked with staff to add extra safeguards around system access and has reemphasized security measures to protect against similar incidents in the future. BYU‑Pathway has provided a toll‑free telephone number for affected individuals who have questions or concerns about the incident. The organization has stated that its top priority remains the privacy and security of student information and that it is taking all necessary steps to keep that information safe.