Dec 23, 2024

Former Whitworth University Student Sues After Ransomware Attack Last Summer

by Nadia El-Yaouti | Jun 29, 2023
Sign at the entrance of Whitworth University, with trees and campus buildings in the background. Photo Source: A student at Whitworth University during a data breach in July is suing the school, asking for a class action and claiming negligence against Whitworth in allowing the theft of information belonging to what the university estimates is more than 65,000 people. (Spokesman-Review via The Spokesman-Review)

A former student at Whitworth University in Spokane, Washington, has filed a lawsuit against the university after becoming the target of a ransomware attack discovered in July 2022.

The lawsuit was filed Thursday in U.S. District Court in Spokane and accuses the university of negligence after hackers were able to steal personal information including financial and health information of current and former students, staff, and faculty.

Although the ransomware attack was discovered in July, it was not until August that the university reported the attack as a “sophisticated security issue.” In October, the university reported the attack to the Washington attorney general's office. The attack affected 65,593 individuals, 36,564 of whom were Washington state residents.

Like most cyber attacks, ransomware attacks are conducted via social engineering tactics like email phishing in order to exploit a vulnerability in the system’s network. Ransomware attacks work by encrypting data so that a data owner cannot access it. Hackers then demand a ransom to decrypt the data and will not do so until the ransom is paid. If the ransom is not paid, hackers will often sell the data on the dark web to other bad actors.

Cyber security experts and government officials typically advise against paying the ransom, as doing so can help fuel this type of cyber attack. Additionally, even if a ransom was paid, sensitive information can still fall into the wrong hands after it’s become compromised. It is not clear if the university paid the ransom to recover the data in the July breach.

In alerting the public, the university shared a letter that explained, “Multiple unauthorized actors infiltrated our network” and were able to obtain information including names, student identification numbers, state identification numbers, passport numbers, Social Security numbers, and health data. Still, university officials maintained that the hackers were unable to retrieve a file that contained the most sensitive type of information. University and state officials have not disclosed who or what organization was behind the cyberattack.

According to the Washington Attorney General’s Office, there were 4.5 million Washingtonians who were the victims of cyberattacks in 2022, a tick down from the 6.5 million impacted individuals in 2021.

The lawsuit, which was filed by former student Patrick Loyola, accuses the school of not doing enough to prevent the attack from occurring in the first place. He contends that the university’s security systems were "completely inadequate and allowed cybercriminals to obtain files containing a treasure trove of thousands of its former and current students' highly sensitive ."

In its alert to impacted individuals, Whitworth University issued a free credit monitoring service. However, Loyola argues that the credit monitoring service “does not adequately address the lifelong harm that victims will face following the data breach.”

He adds that he has suffered "increased anxiety for the loss of privacy" which requires him to continually monitor his credit. The lawsuit goes on to say Loyola has “suffered imminent and impending injury from the substantially increased risk of fraud, identity theft, and misuse” of his personal information as a result of the data breach.

Loyola argues that the university’s negligence led him and others to suffer damages in excess of $5 million. Loyola is currently seeking class-action status for the lawsuit to help provide relief for others impacted.

Share This Article

If you found this article insightful, consider sharing it with your network.

Nadia El-Yaouti
Nadia El-Yaouti
Nadia El-Yaouti is a postgraduate from James Madison University, where she studied English and Education. Residing in Central Virginia with her husband and two young daughters, she balances her workaholic tendencies with a passion for travel, exploring the world with her family.

Related Articles

Hands typing on a backlit keyboard, representing cybersecurity and potential data breach scenarios.
CareSource Faces Multiple Lawsuits After Cybersecurity Data Breach

A data breach that targeted an Ohio-based insurance company has prompted multiple lawsuits including a class action lawsuit filed by victims who lost sensitive personal information following the data breach. One class action suit is seeking more than $9.9 million in damages. CareSource, the administrator of one of the nation’s... Read More »

A dermatologist examining a patient's hand with a medical light.
Forefront Dermatology to Pay Nearly $4 Million Following 2021 Data Breach

Wisconsin-based healthcare operator Forefront Dermatology has agreed to a $3.75 million settlement to end a class action lawsuit over a 2021 data breach. The organization operates a number of dermatology offices across the U.S. In 2021 a known ransomware group was able to exploit vulnerabilities within Forefront Dermatology’s network and... Read More »