The Savannah College of Art and Design (SCAD), a private entity in Georgia that accepts students from various states and has a presence in France, may be dealing with a patchwork of state data breach reporting regulations.
Avos Locker states the SCAD was attacked about two weeks ago and a significant amount of data was stolen. The college's network was not encrypted, in contrast to some ransomware attacks; only data was exfiltrated.
The information was found to be a part of a data security incident on August 30. On August 22, experts discovered unauthorized access affecting users' systems. Experts acted quickly to control the situation, and with the aid of a cybersecurity company, they started an inquiry.
Researchers also informed law enforcement about the occurrence. According to the inquiry, on August 22, an unauthorized user obtained access to the network and copied a few files from company systems.
A review of more than 69,000 files and a sample of the exfiltrated data were provided by Avos. The filenames' descriptions, which included names of persons and hints about the files' contents, appear to be what the files are made of. One of the samples student files contained a spreadsheet with more than 60,000 records for both past and present pupils.
More than 15,000 records dating back to 2005 were present in one of the files. Many of the records were for relatively minor offenses that are typical of college students.
Despite being a private institution, SCAD's website states that FERPA rights apply to its students. Schools are not required under FERPA to send out individual notification letters or breach alerts.
Aside from personal data about students, there may also be a problem with student financial aid. The federal Gramm Leach Bliley Act, which enforces security and breach notification requirements, may be implicated if such records were accessed. DataBreaches were unable to identify from the file list in this case whether that law would be applicable.
Avos withheld the amount of the ransom it demanded to erase the stolen data. SCAD did engage in some negotiation, but their goal seemed to be more to purchase time, according to a response it sent to data breaches.SCAD did not answer a question regarding how they handled the situation.