Connecticut College Announces Breach Investigations from March 2023
Table of Contents
- By Steven
- Published: Feb 14, 2024
- Last Updated: Feb 16, 2024
Connecticut College (CC) is a private campus institution in New London, CT; initially opened as a women’s college, the institution today serves a 2k-student population and offers more than 40 degree programs. In March 2023, cybercriminals victimized CC by accessing their network environment. Eleven months later, CC officials have begun sending impact notices to those with data exposed in the incident. The assault remains under investigation by the authorities and cyber experts, so a projected impact figure is currently indeterminable; despite this, victims of the event must consider data protection.
How Did the Attack Occur?
Although the breach happened nearly a year ago, there is little public information about the attack or how the assailants made the event possible. The Maine Attorney General breach filing suggests that the event was an external system breach, but the consumer notice and website statement from CC offer no additional information. According to these public resources, the assailant accessed CC’s systems, acquired files, and left the environment. Presumably, CC’s defensive experts expelled the threat actors from the systems, but how the unauthorized party entered the network remains unclear.
What Information Was Viewed or Stolen?
The public can find a list of potentially compromised data elements via the consumer notice published with the Maine breach filing. The notice suggests that those impacted by this event may have exposures, including victims’ names, Social Security Numbers, student ID numbers, education records, financial aid data, taxpayer IDs, driver’s license numbers, government IDs, financial account details, and access codes, health benefits, medical record numbers, and treatment history. Those with data potentially exposed by this event must immediately safeguard the compromised information.
How Did Connecticut College Admit to the Breach?
All the public resources for this event suggest the attack happened around March 3rd, 2023; however, between then and 2024, officials listed no activities for the event. Presumably this is due to the authorities running investigations into the incident, including an extensive manual review of the compromised documents. The Maine breach filing suggests officials did not know of the breach until around January 11th, 2024; around a month later, on February 7th, officials purportedly began sending impact notices.
What Will Become of the Stolen Information?
Data compromised in this event is primarily sensitive; with only a few of these elements, cybercriminals could further victimize individuals and organizations beyond mitigation. Any time the threat actors could sell the data on the dark web for profit, they could misuse it for fraud or extortion; they might even use it to attack other companies with similar login credentials. Further, because the attack happened nearly a year ago, it’s impossible to say what has happened to the data from then to now—it could be in a closed system or out there for sale.
What Should Affected Parties Do in the Aftermath of the Breach?
Maine’s filing suggests that almost 1,000 Maine residents have data exposed by this incident. However, because the institution is in Connecticut, the final impact figure is likely far higher. As investigations continue, the public may learn more about the attack and the events that led to it. Until the public learns more, victims of this breach must consider data defenses to safeguard their data. Individuals should ensure their accounts are secured by changing their passwords and checking that they are not using duplicate credentials across organizations. They should also consider identity, financial, and medical data monitoring; professionals can’t stop criminals from entering accounts they can access—but they can help mitigate the consequences.
