Data Breach at EVIT Exposes Personal Data of Over 200,000 Individuals
PHOENIX, AZ – A recent data breach at the East Valley Institute of Technology (EVIT) compromised the personal information of approximately 208,000 individuals, prompting a lawsuit and a critical audit of the institution’s IT security practices. The breach, which occurred in January 2024, has raised concerns about the increasing prevalence of cyberattacks targeting educational institutions.
The lawsuit, filed by plaintiffs David Heintz and Robert LaBrake, alleges “reckless, negligent and/or careless” actions by EVIT led to a lifelong risk of fraud and identity theft. They are seeking monetary damages, improvements to EVIT’s data security systems, and extended identity theft protection services – Heintz requesting 10 years, and LaBrake a lifetime of coverage – beyond the currently offered 12 months. Both are requesting a jury trial.
A March 2024 report by the Arizona Auditor General highlighted notable deficiencies in EVIT’s IT security, citing the January breach as evidence of these vulnerabilities. The report detailed non-compliance with credible industry standards, increasing the risk of unauthorized access to sensitive information, data loss, errors, and fraud.
Specifically, the audit found EVIT did not regularly review and limit user access to its network and critical systems.While the institution has begun implementing recommendations from the Auditor General, including developing a process for annual detailed reviews of user accounts and updating authentication controls, progress remains incomplete. As of a follow-up report released two months ago, EVIT had not updated its policies or established a formal process for annually reviewing authentication controls against industry standards.
further compounding the issue, the Auditor General’s report revealed that only 86% of EVIT’s 319 employees completed mandatory annual cybersecurity awareness training in Fiscal Year 2024. Completion rates where even lower for newly hired employees,with only 52% of the 72 hired between September and December 2024 completing the training.
“By not ensuring staff receive the required security awareness training,the district continues to be at an increased risk of cybersecurity events resulting in unauthorized system access,data loss,and disruptions to district operations,” the report stated.
The audit also found that EVIT had not, as of July 2024, developed and implemented a tested IT contingency plan. The Auditor general’s Office plans a 24-month follow-up assessment to evaluate EVIT’s progress.
A former, unnamed EVIT employee reportedly observed “that EVIT’s network security seemed to be very lax” around the time of the breach, according to Heintz’s lawsuit.
EVIT has acknowledged the Auditor general’s findings and agreed to implement the agency’s recommendations. The institution has not yet commented on the specifics of the lawsuit.