Cyber Incident Victim: Oklahoma City University
Date:
Jul 2022
Location:
United States of America
Summary
A cyberattack targeting Oklahoma City University compromised sensitive personal information belonging to current and former students, employees, and other individuals with data stored on the institution's systems. The breach rendered systems inaccessible and allowed unauthorized access to names, addresses, Social Security numbers, driver’s license or state ID details, and passport information. Following an investigation involving law enforcement and third-party cybersecurity experts, the university confirmed the data exposure and initiated notification procedures to inform affected parties. The incident significantly elevated risks of identity theft and fraud for those impacted.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In July 2022, Oklahoma City University experienced a cyberattack that rendered its computer systems inaccessible. The university promptly reported the incident to law enforcement and engaged third-party cybersecurity experts to investigate the nature and scope of the breach. The investigation confirmed that an unauthorized actor had gained access to sensitive personal information belonging to current and former students and employees, as well as other individuals whose data was stored on OCU's systems. The compromised information included names, addresses, Social Security numbers, driver's license and state identification numbers, and passport numbers. Following this discovery, OCU conducted a comprehensive review of affected files to identify precisely which individuals and data types were impacted. The breach notification process began nearly eight months later on March 20, 2023, when OCU filed formal notice with the Montana Attorney General's office and initiated mailing data breach letters to affected parties.
The incident exposed sensitive personal identifiers for an undisclosed number of individuals across OCU's community of approximately 3,000 students and 650 employees. While the university did not publicly specify the attack vector or duration of unauthorized access, the breach significantly elevated identity theft risks for victims due to the exposure of government-issued identification numbers and Social Security information. Oklahoma City University's response included collaboration with cybersecurity professionals throughout the investigation but did not disclose whether system vulnerabilities were remediated or whether data encryption status affected the breach's impact. The delayed notification timeline between July 2022 discovery and March 2023 disclosure suggests a complex forensic investigation process. Potential legal implications for the institution were noted in relation to possible negligence claims regarding data protection practices, though no specific lawsuits or regulatory penalties were detailed in the available reporting.