Personal data belonging to more than 155,000 former students and staff of Pierce College was reportedly leaked on the dark web following a cyberattack this summer. The breach included sensitive details such as Social Security numbers and banking information, prompting a lawsuit against the Pierce College District. Sally McAuley, a district student in 2022 and this year, filed the lawsuit in Pierce County Superior Court, intending it to be a class-action filing.
Attorney Timothy Emery, representing McAuley, expressed concern about the security protocols in place at Pierce College, stating, “We do not yet know what security protocols Pierce College had in place, but we know that they were insufficient to protect their students’ information.” Pierce College Chancellor and CEO Julie White responded to the allegations, asserting that the complaint “appears to mischaracterize the nature and scope of the incident.” However, she refrained from providing specific details, citing the college’s policy of not commenting on legal matters.
Pierce College, serving over 13,500 students annually across campuses in Lakewood and Puyallup, reported suspicious activity within its network on July 24, leading to an investigation. The breach, identified between July 23 and July 24, 2023, exposed files on Pierce’s servers to unauthorized actors, according to the district’s legal counsel, Benjamin Wanger.
The college took prompt measures to secure its network and initiated an investigation, with White noting that the review of all files would have taken “quite some time.” As a precaution, the college notified all individuals potentially affected on Sept. 8. The compromised data, affecting 155,811 Washingtonians, included names, Social Security and driver’s license numbers, financial information, and full dates of birth, according to the state Attorney General’s office.
The breach at Pierce College stands as the third-largest single data breach in Washington state this year, trailing behind incidents at T-Mobile and Shoreline Community College. Notably, a prior incident in January involved an employee in Pierce County’s auditor’s office inadvertently sharing the last four digits of 463,000 registered voters’ Social Security numbers.
The lawsuit, referencing a report from CyberNews.com, alleges that the “Rhysida gang,” a cybercriminal organization, posted stolen personal information from the Pierce College District on a dark web auction page.
Effects of the breach are surfacing, with McAuley reporting an increase in spam calls and emails, along with attempted unauthorized use of credit and debit cards. The lawsuit emphasizes concerns about identity theft and fraud, seeking unspecified damages and class certification for the 150,000-plus affected individuals.
In response to the attack, Pierce College worked closely with industry experts and its cybersecurity insurance provider to guide its response. White stated that the district’s security measures were “on par” with other higher education institutions, but additional protections, including a layer of authentication, have since been implemented.
The college’s web privacy notice assures that measures have been taken to prevent unauthorized access and protect data integrity. Notification letters sent to affected parties include steps to detect fraud and protect identity, including a free one-year Experian membership.
Individuals affected by the breach are advised to contact the Federal Trade Commission and local law enforcement if they suspect fraud. They can also reach out to credit reporting companies to place fraud alerts or credit freezes. Questions about the incident can be directed to 855-457-9076 on weekdays between 6 a.m. and 6 p.m.
The lawsuit contends that Pierce College made promises to keep collected data confidential, emphasizing the duty of institutions holding sensitive information to ensure its safety.
