A notification posted Friday on the private Catholic university's website was its first public statement on the cyber attack, which the Express-News first reported last month.
It has declined to specify whether it was hit by a ransomware attack, in which hackers deploy malicious software to lock people and groups out of their networks and demand payments to regain access, or to identify the suspected hacker.
The university did not respond to emailed questions this week.
The Express-News reported earlier, based on interviews with victims, that the hackers took information on the university's faculty, students, staff and even applicants who never attended.
The ransomware group AvosLocker claims it hacked into the San Antonio university's network, according to Boerne-based IT consulting firm BetterCyber and Breachsense, a data breach monitoring platform.
In the statement it posted, the university said it found "unauthorized access" to its network occurred about Aug. 30 and "immediately launched an investigation in consultation with outside cybersecurity professionals" to examine the breach and analyze compromised information. It has declined to identify who it worked with on the examination or say how hackers gained access to the network.
The investigation, which it said ended March 3, found that a "limited amount of personal information was removed" from its network. It said that included full names and one or more of the following: Social Security, driver's license and passport numbers; government university identification numbers, dates of birth, bank account information and online credentials. It began notifying affected individuals about March 31.
"To date, we are not aware of any reports of identity fraud or improper use of any information as a direct result of this incident," it said in the notification.
Fall semester enrollment at the university was about 2,300 students. It employs about 450 people.
"This notice is strange," said an individual who applied to the university in 2016 but never attended. They spoke on condition of anonymity because of concerns their information has been posted online or will be. "It still makes me feel that they don't know what happened."
The university has declined to disclose whether it's contacted law enforcement agencies in regard to the attack. The FBI's San Antonio Division did not respond to requests for comment.
ABOUT AVOSLOCKER
In March 2022, the FBI and Department of the Treasury's Financial Crimes Enforcement Network released a joint cybersecurity advisory identifying AvosLocker as a "ransomware as a service affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States," including financial services, manufacturing and government facilities.
"AvosLocker claims to directly handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data after their affiliates infect targets," the agencies said.
More recently, AvosLocker has claimed it hacked Paul Smith's College, a private school in New York, about the same time it accessed information at the local university last year.
The Adirondack Daily Enterprise last month reported a story about a cyber incident at Paul Smith's discovered Aug. 27, after the private college notified about 10,000 students, staff and potential students about the breach. The university did not respond to requests for comment this week.
Some of the victims in San Antonio said they had learned about the breach at Our Lady of the Lake through alerts from credit card companies and credit rating agencies that their personal information had been compromised and were able to connect it to an attack on the university's network.
San Antonio has experienced a rise in cyber attacks in recent years, with many described as ransomware attacks. Hackers have hit other educational institutions as well as private companies and local government agencies.
In 2021, Judson Independent School District paid a ransom of $547,045 to hackers to keep sensitive information from being posted online for public access. That same year, North East Independent School District notified about 5,000 current and former employees of a potential data breach after an employee's email account was breached and hackers attempted to divert school funds. The district was able to shut down the attack before any money was transferred.
In 2019, the Center for Health Care Services in Bexar County shut down its computer network after a cyber attack. And in December, Rackspace Technology was hit by a ransomware attack that left thousands of the San Antonio company's customers scrambling to retrieve their email data.
PRIVACY RULES
Generally, education institutions are subject to privacy laws including FERPA — the Family Educational Rights and Privacy Act — and the Texas Identify Theft Enforcement and Protection Act, according to Jarrod Griffin, press secretary at the Texas Attorney General's Office.
Griffin said in email the Attorney General "occasionally" receives notices of data breaches from colleges and universities across the state. Since September 2021, the state office has maintained a webpage that lists reported data breaches.
The office has yet to receive a data breach notice from OLLU, according to Griffin and the webpage.
Reached by email last month, both the Texas Education Agency and the Texas Higher Education Coordinating Board said they don't require schools and universities to report cyber incidents.
©2023 the Houston Chronicle. Distributed by Tribune Content Agency, LLC.
