The private Catholic university on San Antonio's West Side this week confirmed that it recently found evidence that "unauthorized access" to its network occurred about Aug. 30 and that "a limited amount of personal information was removed." It declined to detail the types of information taken.
The university hasn't notified those who were affected but plans to do so next Friday, spokeswoman Anne Gomez said.
But in interviews, people who learned through other means that their data had been compromised said it included Social Security and driver's license numbers, dates of birth and home addresses.
It's unclear whether Our Lady of the Lake was hit by a ransomware attack, in which hackers deploy malicious software to lock people and groups out of their networks and demand payments to regain access. Hackers also often threaten to publicize private information contained in the attacked systems.
The university consulted with "outside cybersecurity professionals" to investigate the incident, Gomez said, declining to identify the investigator or the nature of the attack.
Some of the victims who were interviewed said they learned through alerts from credit card companies and credit rating agencies that their personal information had been compromised and were able to connect it to an attack on Our Lady of the Lake's network.
The people, two of whom said they applied to the university in 2016 but never attended, spoke on condition of anonymity because of concerns their information has been posted online or will be.
Fall semester enrollment at the university was about 2,300 students, and it employs about 450 people.
San Antonio has seen a surge of cyber attacks in recent years, with many described as ransomware attacks. They have hit other educational institutions as well as private companies and local government agencies.
In 2021, for example, Judson Independent School District paid a ransom of $547,045 to hackers to keep sensitive information from being posted online for public access. That same year, North East Independent School District notified about 5,000 current and former employees of a potential data breach after an employee's email account was breached and hackers attempted to divert school funds. The district was able to shut down the attack before any money was transferred.
In 2019, the Center for Health Care Services in Bexar County shut down its computer network after a cyber attack. And in December, Rackspace Technology was hit by a ransomware attack that left thousands of the San Antonio company's customers scrambling to retrieve their email data.
It remains unclear whether Our Lady of the Lake has contacted law enforcement or the FBI, which often investigates ransomware attacks. For example, the FBI is investigating the attack on Rackspace.
The Texas Attorney General's Office did not respond to questions concerning the attack on Our Lady of the Lake.
Reached by email last week, both the Texas Education Agency and the Texas Higher Education Coordinating Board said they don't require schools and universities to report cyber incidents.
In addition to notifying the affected individuals next week, the university will post a notice of the attack on its website, Gomez said, "in accordance with state and federal law."
The university "is committed to maintaining the privacy of personal information in its possession and has taken many precautions to safeguard it," she said, later adding that the institution "continually evaluates and modifies its practices and internal controls to enhance the security and privacy of personal information."
©2023 the Houston Chronicle. Distributed by Tribune Content Agency, LLC.
