Lansing Community College Becomes Victim of Cyberattack

What Happened

It all started in March. It was just another day on the Lansing Community College (LCC) campus until the IT systems suddenly collapsed. At first, it was thought to be a technical glitch. Classes were canceled, access to online systems was cut off, and the IT department began a frantic effort to fix things. But after weeks of uncertainty, the grim truth emerged: LCC had been the target of a major cyberattack. Since then, forensic experts have been working to clean up the mess and understand the extent of the damage. And now, months later, the final numbers are out. The personal information of exactly 174,000 people has fallen into the hands of unidentified attackers.

The college administration initially announced the incident as a "network outage." But behind the scenes, a comprehensive investigation was underway with the FBI. The attackers had roamed LCC's network for weeks, perhaps even months, before being detected, infiltrating the most valuable databases and slowly exfiltrating data. This was no amateur job. On the contrary, it was a highly organized and patient operation. Now, tens of thousands of students, alumni, and employees are living with the anxiety of whether their identities are up for sale on the dark web.

The Data Captured

The information the attackers got their hands on is far more than a simple email list. This is the kind of data treasure trove that an identity thief dreams of. The leaked information includes:

• Full Name and Address: Basic identity information like first name, last name, home address, and phone number.
• Social Security Number (SSN): This is the most critical piece of data. In the U.S., the SSN is the master key to a person's financial identity. It's used for credit applications, tax returns, and even government benefits. The theft of this number opens the door wide to full-blown identity theft.
• Date of Birth: Another key piece of information frequently used in identity verification processes.
• Driver's License Number: The state-issued identification number was also among the compromised data.
• Student and Employee ID Numbers: Information used to access internal college systems, which can be dangerous when combined with other data.
• Financial Aid and Scholarship Information: Sensitive financial data such as students' income levels, scholarships received, and loan applications. This information can be used for highly targeted spear-phishing attacks.
• Academic Records: Personal information like transcripts, courses taken, and academic standing. While this might seem harmless at first glance, it holds potential for blackmail or social engineering.

The theft of such a diverse and sensitive set of data all at once exponentially increases the level of risk. Attackers can use this information to open bank accounts in victims' names, apply for credit cards, file fraudulent tax returns, or sell the data to other criminals on the dark web.

How the Attack Happened

So, how did the attackers breach LCC's defenses? According to initial information leaked from the investigation, it all started with a classic but effective method: a phishing attack. An employee in a critical department, like finance or admissions, was sent a highly convincing email. Perhaps it looked like an invoice or an urgent student request. When the link in the email was clicked, spyware was installed on the employee's computer. This software gave the attackers their initial foothold in the network.

Once inside, they didn't rush. They moved silently within the network for months, escalating their privileges and identifying where the most valuable data was stored. This "dwell time" is a hallmark of modern cyberattacks. To evade defense systems, they exfiltrated the data in small, slow packets. By doing this, they managed to avoid the alarms that would have been triggered by abnormal spikes in network traffic. As a result, by the time LCC's IT team realized what was happening, the horse had already left the barn. The data had already been copied and transferred to servers controlled by the attackers.

Who Is Affected

The number 174,000 is massive, and it doesn't just include current students. According to LCC's statement, the affected groups are:

• Current Students: All students currently enrolled at the college.
• Former Students and Alumni: Individuals who attended or graduated from LCC within the last 10-15 years. Educational institutions often retain former student data for long periods for legal and archival purposes.
• Current and Former Employees: Academic and administrative staff, and even part-time employees, are at risk.
• Applicants: Even individuals who applied to LCC but never enrolled may be on this list, as the personal information provided during the application process was also stored in the college's databases.

So, even if you had the slightest connection to LCC years ago, you could be affected by this data breach. The college has started sending notification letters by mail to affected individuals. If you receive such a letter, you should absolutely take it seriously.

What You Can Do

If you think you've been affected by the LCC data breach or have received a notification letter, you need to act immediately instead of panicking. Here are some steps that go beyond the cliché advice and are genuinely useful:

1. Freeze Your Credit Reports: The free credit monitoring service offered by the college (usually through a company like Kroll) is a good first step, but it's not enough. A monitoring service only tells you after someone has applied for credit in your name. A credit freeze, on the other hand, completely prevents new credit accounts from being opened without your consent at the three major credit bureaus: Equifax, Experian, and TransUnion. This is a proactive defense.
2. Contact the IRS: The theft of your Social Security Number creates a risk of tax fraud. A criminal could file a fake tax return in your name and have the refund sent to their own account. To prevent this, file an Identity Theft Affidavit with the IRS. You can fill out Form 14039 on the IRS website.
3. Review Your Passwords: If you used a password for the LCC student portal or email system that's similar to one you use elsewhere, change those other passwords immediately. Attackers will try to use stolen passwords on other popular platforms (social media, email, banking) to take over your accounts in a practice known as credential stuffing.
4. Be Vigilant Against Phishing Attacks: The attackers now know a lot about you. Your name, your major, even a class you took... They can use this information to send you highly convincing, personalized phishing emails. For example, a subject line like "LCC Registrar's Office: Issue with Your Transcript" could easily trick you. Never click on links in emails you don't recognize or weren't expecting.

What the Company Is Saying

The Lansing Community College administration issued a statement expressing deep regret over the incident. The statement, signed by College President Dr. Steve Robinson, said, "We are deeply sorry for shaking the trust our students, employees, and community have in us. We take full responsibility for this incident and are doing everything in our power to support everyone affected."

The college confirmed that it is offering 12 months of free identity theft protection and credit monitoring services to all affected individuals. They also stated that they have hired an external expert firm to strengthen their cybersecurity measures, are making multi-factor authentication (MFA) mandatory on all systems, and are restructuring their network infrastructure. The statement also mentioned that the investigation with the FBI is ongoing and efforts to identify the attackers are continuing.

Source

https://www.securityweek.com/174000-impacted-by-lansing-community-college-data-breach/