A ransomware outfit launched an assault on New Jersey City University's computer network, threatening to reveal sensitive private details of students and staff unless $700,000 in Bitcoin is paid by Saturday. The institution notified staff and students of the June 4-10 data breach on Friday, some seven weeks after the incident that resulted in the loss of social security numbers, driver's licence numbers, financial account information, and credit card details.
The estimated number of potential victims was not known till Monday afternoon, although the 100-year-old university enrols about 6,000 undergraduate and graduate students annually in addition to a small number of teachers and staff members. When asked about how quickly they found out about the data breach, school officials had no response.
“In June 2024, our computer network was accessed without permission by an unknown actor,” the university stated in a post under its webpage’s data events. “In response, we immediately notified law enforcement authorities, took steps to secure our computer network, and conducted a thorough assessment of the matter to determine what happened and how it may affect information that was stored on the network.”
A university spokesperson and a representative for the state Department of Homeland Security did not reply to requests for comment. Hack Manac, a cybersecurity business that monitors various cyber security risks across the country, stated the Rhysida Ransomware Group is responsible for the hack and is seeking 10 Bitcoins, or around $700,000, by August 3.
Sentinel One, another cybersecurity company, stated that Rhysida believes it is doing "victims a favour" by raising security concerns. The institution, which did not name the hacker, stated that the "unknown actor" copied "certain files" between June 4 and June 10.
The school will notify individuals who may be affected by email, and those who believe they have been affected may contact the institution. It will provide free identification monitoring to possibly affected individuals. The school emphasised that just because someone has been contacted does not imply that they are a victim of identity theft.
