Identity thieves can hunt us for 'rest of our lives,' claims suit after university data leak

An American university founded in 1833 is facing a bunch of class action lawsuits after the personal data of nearly 100,000 people was stolen from its tech infrastructure.

And because the data includes the identity fraud goldmine of the victims' names and social security numbers (SSNs), one of the lawsuits claims the danger to those affected could continue throughout "their lives."

SSNs are assigned at birth, and never change, and they allow US government agencies to identify individuals in their records and "businesses to track an individual's financial information." With just an SSN, name, and address, criminals can take out a credit card or loan in the victim's name. It can also be used to obtain medical care (and rack up bills) in the person's name, or the criminal can identify themselves using it when arrested - giving the victim a criminal record.

Attackers spent 12 days rummaging through servers and posted the personal details they found on the dark web. According to the data breach notice by Mercer University in Macon, Georgia, 93,512 people were affected.

One of the complaints alleges the attackers were members of the Akira ransomware gang, which, according to Sophos, uses a "retro aesthetic on their victim site" reminiscent of green screen consoles and was possibly named for the 1988 anime film.

The complaints – all of which ask for a jury trial – include one from visiting Yale professor Jennifer Kilkus [PDF], who taught at Mercer uni from 2016 to 2018; another from an unnamed alumnus calling themselves John Doe [PDF], who says he suffered fraudulent credit card charges after the breach; and another from former student Ping Wang [PDF].

The breach notice said the attack took place over February 12-24 and was only discovered on April 30. Data including name and "other personal identifiers" in combination with driver's licenses and Social Security numbers (SSNs) was nicked. Kilkus, however, says in her complaint that "if Mercer had exercised reasonable diligence in its investigation, it would have learned far sooner" that the personally identifiable information (PII) had been exposed."

All of the lawsuits allege negligence, claiming little care was taken to protect the plaintiffs' PII, with Doe's suit alleging: "Not until over a month after it claims to have discovered the data breach did defendant begin sending the notice to persons whose PII and/or financial information defendant confirmed was potentially compromised as a result of the data breach."

Wang's lawsuit, meanwhile, specifically calls out the uni for allegedly not putting into place basic network segmentation or encrypting the confidential information that was leaked.

The complaint states: "Mercer University had far too much confidential unencrypted information held on its systems."

Mercer released a statement on May 9 saying: "Although the University has taken extensive measures to protect the privacy of its information, some data – Social Security numbers and driver's license numbers – were removed from its systems without authorization. The University has found no evidence that personal financial information was removed."

• US veterans' data exposed after burglary
• Criminals spent 10 days in US dental insurer's systems extracting data of 9 million
• T-Mobile US suffers second data theft within months
• Data loss costs are going up – and not just for those who choose to pay thieves

The Register noticed Mercer filed the data breach notice with the Maine state attorney general, under a law which only applies to personal data that is not encrypted, but not wanting to take this at face value, we asked the institution whether it had any encryption in place. It declined to comment on pending litigation.

Wang's complaint also alleges that "according to postings on the dark web" where the Akira gang allegedly posted the defendants' private information, the miscreants "stated that Mercer University had refused to pay the ransom."

The breach notice filed with the Maine attorney general included the sample letter sent to those affected, which stated: "Mercer University takes the security of our computer systems very seriously. Even so, like many higher education institutions, we recently experienced unlawful access into our computer systems." It said it offered "complimentary identity theft protection services through a one-year membership with Experian IdentityWorks."

It's debatable whether one year will be enough. Wang's complaint claims: "For the rest of their lives, plaintiff and the class members will have to deal with the danger of identity thieves possessing and misusing their private information."

Kilkus's complaint alleges the university failed to train staffers on basic infosec protocols, and that given the type of data Mercer collected and stored, "it was highly foreseeable that bad actors would attempt to access it without permission."

The Federal government advises that "each time an individual divulges his or her SSN" there is "potential for a thief to illegitimately gain access to bank accounts, credit cards, driving records, tax and employment histories and other private information increases."

It recommends that SSNs should only be collected as a last resort, and that they must be stored in an encrypted fashion.

The Feds learned the hard way, only requiring encryption of sensitive data stored on its laptops after a 2006 theft of computer equipment that contained data on 26.5 million veterans. ®