Dive Brief:
- Mercer University was recently hit with at least three newly filed class action lawsuits over a data breach, with plaintiffs alleging that the Georgia college failed to safeguard their personal data.
- One plaintiff is a former law student at Mercer, while another is a professor at Yale School of Medicine who taught a course at Mercer in 2016 and 2018. Another, a former student who stayed anonymous over privacy concerns, said he suffered from fraudulent credit card charges after the data breach.
- None of the three lawsuits, which contend more than 93,000 people were caught up in the data breach, have been certified as class actions yet. They all allege that Mercer improperly delayed informing affected individuals and failed to have adequate cybersecurity defenses.
Dive Insight:
The spate of lawsuits illustrate the complicated risks colleges and universities face when it comes to protecting data. Cybercriminals frequently target higher education institutions, which house massive amounts of personal and financial information.
Colleges can be particularly vulnerable to ransomware attacks, in which cybercriminals either threaten to publish sensitive data or block victims’ access to it unless they pay a ransom.
When colleges experience data breaches, lawsuits can often follow. That was the case at Knox College late last year, when hackers broke into the institution’s computer system and later emailed students threatening to sell their Social Security numbers. Multiple students have since taken legal action against the Illinois institution.
The lawsuits say a month passed between Mercer discovering the data breach and notifying those who were affected.
A May 9 post on Mercer’s website said the university detected “an incident involving unauthorized access to its computer network.”
With the help of law enforcement and outside legal and technical consultants, Mercer investigated the incident. It found that sensitive data, including Social Security numbers and driver's license numbers, were removed from systems without authorization, according to the announcement. It also said it found no evidence that personal financial information was taken.
A Mercer spokesperson said Tuesday that the university does not comment on pending litigation.
One lawsuit links to recent reporting from Cybernews, which said a ransomware gang called Akira posted stolen data from Mercer on its dark web blog. Akira said the university had declined to pay its ransom, according to the publication.
The anonymous former Mercer student said the university hasn’t provided adequate updates on the data breach.
“Plaintiff and the Class Members remain, even today, in the dark regarding what particular data was stolen, the particular malware used, and what steps are being taken, if any, to secure their [personally identifiable information] and financial information going forward.”
Similarly, the former law student said letters notifying individuals of the data breach were insufficient.
“Upon information and belief, the Akira ransomware gang posted on the dark web that Mercer was one of its victims, but Mercer’s Notification Letters did not disclose any details regarding the Akira ransomware gang, or any other bad actor,” the complaint states.
