IMPERIAL — Imperial Valley College announced on Tuesday, Oct. 27, that the personal information of campus community members was accessed during the Aug. 6 ransomware attack that crippled the campus’ computer systems.
The announcement, which was sent to students on Monday, Oct. 26, did not specify the number of individuals whose personal information might have been breached, or the nature of that personal data.
Third-party experts were determining the confidential data that had been accessed, stated Elizabeth Espinoza, interim IVC public information officer, in an email Oct. 27.
“Some employees and students were impacted,” she stated.
In her Oct. 26 letter to students, IVC Superintendent/President Martha Garcia stated the third-party investigation was completed and that the campus received new preliminary information that would need to be further clarified by the third-party experts.
“I felt it was critical to be transparent, in spite of the fact that we will not have answers to all your questions,” Garcia stated. “While we have no evidence to suggest that any of the impacted information was viewed or misused during this compromise, we are working diligently to identify affected individuals and will notify them in accordance with all state and federal laws.”
Those whose personal information is determined to have been impacted can expect a letter from IVC in the next 14 days providing additional details and information regarding credit-monitoring services, Garcia’s letter stated.
The Aug. 6 ransomware attack resulted in the payment of the $55,068 that was demanded by the hack’s perpetrators, Garcia reported.
As a result of the incident, IVC officials were prompted to push back the start of the fall semester a week.
The payment, which was provided by the campus’ insurer and did not require the use of any general fund or categorical dollars, was approved following discussions among the Imperial Community College District Board of Trustees, the campus’ IT department and the third-party forensic company.
“This enabled us to get our key systems to function and start the semester’s online classes with a one-week delay while both hybrid and face-to-face classes began at their regularly scheduled start date,” Garcia stated in her letter.
In contrast to the ransomware attack that impacted the county’s computer systems in April 2019, IVC did not rebuild its systems from the floor up. The college instead chose to have its IT department and consultants extensively reprogram the system, IVC previously reported.
At the time, the college also had decided to take its network offline Aug. 6 to protect its core information system, called the BANNER student information system, which is a database of all student records.
“I recognize that this has been and is a traumatic experience and I sincerely apologize to you,” Garcia stated. “I assure you that we have learned some difficult lessons from it and will do our best as we move forward.”