The action was filed last month by Ana Vasquez, a Texas resident who applied for admission to the university in 2019 but never enrolled. She filed the complaint on behalf of herself and "others similarly situated."
Total damages sought are more than $1 million, though each of the plaintiff's individual damages are less than $75,000.
The private Catholic university issued a public notice of the data breach March 31 — a week after the San Antonio Express-News first reported it.
Nearly 42,000 individuals were affected, according to a posting on the Maine attorney general's website.
That includes 27,568 Texas residents, according to a notice on the Texas attorney general's data breach security reports website. Hacked information included names, addresses, dates of birth, Social Security numbers, driver's license numbers, passport numbers, credit and debit card information and medical data.
A spokeswoman said the university cannot comment on pending litigation. It has yet to answer the lawsuit, filed April 21 in state District Court in San Antonio.
The suit alleges the university on San Antonio's West Side failed to protect individuals' personally identifiable information" and "failed to even encrypt or redact this highly sensitive information."
The data was compromised because of Our Lady of the Lake's "negligent and/or careless acts and omissions and its utter failure to protect students' sensitive data," the complaint adds.
Citing Boerne-based IT consulting firm BetterCyber Consulting Group LLC and Breachsense, an Ohio-based data breach monitoring platform, the Express-News reported last month that the ransomware group AvosLocker claimed that it had hacked into the university's network. AvosLocker has been linked to various online attacks at colleges, most recently at Bluefield University in Virginia.
Our Lady of the Lake said in its March 31 notice that it found "unauthorized access" to its network about Aug. 30 and "immediately launched an investigation in consultation with outside cybersecurity professionals" to examine the breach and analyze compromised information. It didn't say how hackers gained access to the network.
The university said its investigation, which ended March 3, found that a "limited amount of personal information was removed" from its network.
"To date, we are not aware of any reports of identity fraud or improper use of any information as a direct result of this incident," it said in the notification.
But Vasquez, the plaintiff, says she suffered injury — including about $295 in fraudulent charges to her credit card last month, invasion of her privacy and loss of time related to mitigating the risk of identity theft.
The lawsuit raises the possibility that Vasquez's and other victim's information was sold on the so-called dark web. Personal information can be sold at prices ranging from $40 to $200, while access to entire company data breaches can sell for as much as $4,500, the suit adds.
The lawsuit also questions why it took the university more than six months to give notice of the breach after it was detected. It also criticizes Our Lady of the Lake's offer of 12 months of identity monitoring to those affected — given that victims of data breaches commonly face multiple years of ongoing identity theft and medical and financial fraud.
The lawsuit seeks to have the university take steps to protect those affected, including requiring it to engage independent security auditors and internal security personnel to conduct testing, including simulation attacks, and audits of its systems on a periodic basis and to correct any problems detected.
A lawyer for Vasquez didn't respond to a request for comment. Her causes of action include negligence, breach of implied contract and unjust enrichment.
©2023 the San Antonio Express-News. Distributed by Tribune Content Agency, LLC.
