EVIT Data Breach Exposes Sensitive Information of Over 208,000 Individuals

The East Valley Institute of Technology (EVIT), a prominent educational institution in Mesa, Arizona, has disclosed a data breach that compromised the personal information of over 208,000 individuals. The breach, which occurred on January 9, 2024, involved unauthorized access to the school’s network, exposing sensitive data of current and former students, parents, and faculty members.

The breach was identified on the same day it occurred, prompting EVIT to take immediate corrective measures. The institution secured its systems, engaged with law enforcement, and initiated an extensive investigation in collaboration with a third-party cybersecurity firm. Despite these efforts, the full scope of the data potentially compromised was not determined until June 4, 2024, when the investigation concluded.

To mitigate the impact, EVIT has offered affected individuals 12 months of identity theft protection services through IDX, with instructions on how to enroll enclosed in the letters, a sample of which can be found on Maine AG's data breach portal.

Exposed data

The compromised data includes a wide range of personal information, varying by individual. Among the types of data potentially exposed are:

• Personal identifiers: Name, date of birth, social security number, student ID number, and race/ethnicity.
• Educational records: Class lists, grades, course schedules, transcripts, and IEP/504 plans.
• Contact details: Home phone numbers, email addresses, and home addresses.
• Sensitive data: Driver’s license or state ID numbers, financial aid information, health insurance details, and medical records.
• Financial information: Account numbers, routing numbers, and payment card information.

EVIT has assured that, as of now, there is no evidence that the compromised data has been publicly exposed or misused. However, due to the nature of the information involved, the institution has urged all affected parties to remain vigilant and take proactive steps to protect their identities.

EVIT’s response and recommendations

In response to the breach, EVIT has implemented several security enhancements to prevent future incidents. These measures include:

• Locking down VPN access and deploying Endpoint Detection and Response (EDR) software.
• Implementing 24/7 monitoring of their systems.
• Revoking privileged user access and resetting all user passwords.
• Rebuilding or replacing 19 virtual servers to ensure no previously impacted servers are reintroduced into the network.

Additionally, EVIT has notified the three largest consumer reporting agencies and provided written notifications to all affected individuals, ensuring that they are aware of the breach and the steps being taken to address it.

EVIT encourages those affected to enroll in the free identity protection services offered and to monitor their financial accounts closely. Individuals are also advised to place a credit freeze or fraud alert on their credit files to prevent unauthorized access. The institution has provided detailed instructions and resources for monitoring credit and protecting personal information, while a FAQ page about the incident has been made available on its website too.