LCC IT director: No ransom demands or signs of ill-gotten gains from major data breach

Mike Ellis, Lansing State Journal
·3 min read

LANSING — A Lansing Community College official has told federal court officials there's no sign that the personal information exposed in one of the state's largest educational data breaches has been used.

Paul Schwartz, LCC's director of information security, said in a mid-October notarized affidavit that the exposed information involving about 757,000 people has not been used for any "hostage" or "ransom" demands.

He said there is no indication that the college's personal information has been sold or offered for free on the Internet, including on the "dark web," a part of the Internet where illicit items can be sold.

Schwartz's statement does not answer many questions including how the data breach happened, who is accused of doing it and why the college retained personal information for decades.

Lansing Community College's spokesperson, Marilyn Twine, declined to make Schwartz, or the college's president or board chair, available for questions. With an annual enrollment, plus staff, of less than 16,000, the breach may have exposed personal information of people who haven't been affiliated with the college for decades.

Between Dec. 25, 2022, and March 15, 2023, "an unauthorized actor may have had access to certain systems," according to a June 29 notice that was sent to former students and staff members. College officials announced the breach soon afterward, and several former students and others filed lawsuits.

Four lawsuits have been consolidated into one potential class-action lawsuit against the college.

In mid-October, the college issued its first substantive responses to the lawsuit with Schwartz's affidavit and motions to dismiss the lawsuit.

In his affidavit, Schwartz said the "threat actor," or hacker, that compromised the information did not attempt to hold any information "hostage" or for "ransom" and have not demanded any form of payment.

"There is no evidence indicating that any Personal Identifying Information of the named plaintiffs or any other persons, was exfiltrated from LCC's computer networks before, during, or after the Cybersecurity incident," Schwartz said.

Data breaches elsewhere

Other colleges, including the University of Michigan and Michigan State University, have had significant data breaches this year, but those have been attributed to third-party vendors as part of a wide-ranging data breach. U of M had a data breach that is believed to have affected around 230,000 while Michigan State University has disclosed that its breach affected 7,276 people.

The MSU data breach has been attributed to the MoveIT breach, which exploited a vulnerability in a software used by hundreds of leading companies and universities and has affected close to 40 million people, according to Reuters, a news agency.

In August, LCC issued a notice that some of its students and staff could have had their data compromised through some of those same third-parties as MSU, but the compromised data was student names and affiliated with LCC, which was not considered to be personally-identifiable information such as Social Security numbers.

Plaintiffs' claims

In a legal filing seeking to dismiss the potential class action lawsuit, the college says the former students and staff members who are named in the lawsuit as potential victims have not pointed to any losses linked to the LCC data breach. One plaintiff said a tax return was filed in her name in March and another said she was a victim of fraud after the breach.

LCC's legal filing says neither of those women, nor the others who have claimed emotional damages, have offered proof that their losses were linked to the LCC breach.

Contact Mike Ellis at mellis@lsj.com or 517-267-0415

This article originally appeared on Lansing State Journal: LCC data breach: IT director tells court there have been no ransom or hostage demands