Today, two class-action lawsuits filed against the Mesa vocational education provider over that data beach are making their way through Maricopa County Superior Court.
One suit claims the culprit behind the cyber attack was a criminal group known as LockBit — which in 2022 was the most deployed ransomware variant across the world and continued to be prolific in 2023, according to the U.S. Cybersecurity and Infrastructure Security Agency.
Between January 2020 and at least July 2024, LockBit was deployed against over 2,500 victims, who paid over $500 million in ransom payments and made ransom demands totaling hundreds of millions of dollars, the U.S. Department of Justice said.
And the U.S. Department of Education reported that school districts across the country experience an average of five cyber incidents a week.
Educational institutions are prime targets because they maintain sensitive student and staff personal information and often lack resources to put in place comprehensive cybersecurity programs, SchoolSafety.gov said.
EVIT spokeswoman CeCe Todd said EVIT did not pay any ransom to the group. Beyond that, she said, EVIT “has no comment or statement at this time on pending litigation.”
According to Chris Maddux, EVIT’S information systems director, the institution “has made many updates to our systems and environments” since the data breach.
“EVIT collaborated with our liability insurance provider and the Arizona Department of Homeland Security Cyber Readiness Program for advice and support in making these improvements,” said Maddux in an email.
He provided a list of steps taken by EVIT to enhance its cybersecurity, which included implementing a new backup system and new endpoint protection system, upgrading the firewall and implementing multi-factor authentication for all staff.
The EVIT Governing Board also met behind closed doors Aug. 25 to discuss the lawsuits, but in open session did not disclose what legal action was being taken. It only voted to authorize the superintendent to proceed as discussed in executive session.
EVIT serves about 8,000 high school students from 11 school districts, including Mesa, Gilbert, Higley, Chandler, Fountain Hills, Scottsdale, Queen Creek, Tempe, Apache Junction, J.O. Combs and Cave Creek. It also offers post-secondary programs for adults.
The attorneys for Hunter LaBrake, a former EVIT student, filed suit in March and for Justin Heintz, a former student and employee, in December. Both claim that EVIT failed to properly secure and safeguard the sensitive information.
The suits also state that EVIT failed to report the Jan. 9 breach within the 60-day time period as required.
They claim the institution waited seven months — until mid-August — to warn people of the risk via hard-copy notifications. Both LaBrake and Heintz said they received their letters in August.
News of the cyber attack was not widely reported until August after victims were notified and the Office of the Maine Attorney General reported the breach on Aug. 12. EVIT had notified Maine, which then had 12 residents affected by the breach.
Trade media jumped on the story and quoted a number of industry leaders, such as Jason Soroko, a cybersecurity expert.
According to Soroko, the exposure of 48 distinct categories of personally identifiable information was “unusually high” and suggested a vulnerable system that needed stricter controls.
EVIT said that immediately after detecting the incident, “it provided email notification to all current and former students, staff, faculty, and parents with email addresses on file.”
EVIT says it notified potential victims on Jan. 12, 2024, Jan. 24, 2024 and March 5, 2024.
EVIT’s Aug. 13, 2024 letter stated that the records of 208,717 individuals were potentially affected and the information involved included student and military ID numbers, dates of birth, grades, Social Security numbers, driver licenses, financial aid information, bank routing numbers, medical information and home addresses.
“This attack had a limited impact on our operations,” EVIT said in the notice. “We promptly took corrective steps to investigate the incident, secure our systems, report the incident to the three largest nationwide consumer reporting agencies and appropriate authorities, contain and remediate the threat, and notify potentially impacted individuals.
“To date, EVIT has not discovered any publication of EVIT data that contained sensitive information.”
Nonetheless, given the possibility that the information may have been compromised, EVIT said it engaged a third party to conduct a thorough review of all potentially impacted files, which concluded in June 2024.
EVIT also said it hired a third party to add computer security protections and protocols to “harden its network infrastructure and offer improved protections” of sensitive data from unauthorized access.
According to LaBrake, “there has been no assurances offered by EVIT that all personal data or copies of data have been recovered or destroyed, or that defendant has adequately enhanced its data security practices sufficiently to avoid a similar breach of its network in the future.”
The plaintiffs said the breach could have been avoided had EVIT implemented security measures earlier, alleging that as an educational institution it knew or should have known that its electronic records would be targeted by cyber criminals.
“For EVIT to have permitted this data beach to occur is particularly inexcusable considering, among other things, the recent prevalence of these types of incidents generally and among educational institutions in particular,” Heintz said.
The Arizona Auditor General in a March 2024 report noted EVIT’s deficiencies in its IT security and pointed to the January breach as further evidence. EVIT responded that it accepted the findings and agreed to implement the agency’s recommendations.
EVIT’s IT deficiencies included non-compliance and practices inconsistent with credible industry standards, which increased the risk for authorized access to sensitive information, date loss, errors and fraud, the report said
EVIT also did not regularly review and limit user access to its network and critical systems, the report added.
In a follow-up report released two months ago, the Auditor General said that EVIT was in the process of implementing several of its recommendations, including developing a formal process to regularly perform, at least annually, detailed reviews of administrative and user accounts and assess their access level and need for network and critical systems access.
EVIT also had updated some authentication controls for all its critical IT systems to align with credible industrial standards but has not updated its policies or developed a former process to review its authentication controls against credible industry standards at least annually, the report said.
And though the district has established a policy requiring all employees to undergo annual cybersecurity awareness training, just 86 percent of the district’s 319 employees in Fiscal Year 2024 had completed the training and 52 percent of the 72 employees hired between September and December 2024, the report added.
“By not ensuring staff receive the required security awareness training, the district continues to be at an increased risk of cybersecurity events resulting in unauthorized system access, data loss, and disruptions to district operations,” the report stated.
EVIT also had not by the time of the July report developed and implemented an IT contingency plan and tested it annually to identify and remedy any deficiencies. According to the Auditor General’s Office, it will assess EVIT’s efforts at a 24-month follow-up.
Also, a former unnamed EVIT employee at the time of the breach said he observed “that EVIT’s network security seemed to be very lax,” Heintz’s suit said.
Due to EVIT’s “reckless, negligent and/or careless (at a minimum) acts,” resulting in lifelong risk of fraud and identify theft, the plaintiffs’ demands included monetary damages, that EVIT strengthen its data systems, and that the offer of free identify theft protection and credit monitoring extend beyond the 12 months.
Heintz asked for 10 years while LaBrake asked for it to be lifetime.
Both also asked for a jury trial.
© 2025 East Valley Tribune (Mesa, Ariz.). Distributed by Tribune Content Agency, LLC.
