Hacked information included names, addresses, dates of birth, Social Security numbers, driver's license numbers, passport numbers, credit and debit card information and medical costs.
Under terms of the deal, class members' ordinary out-of pocket expenses — including unreimbursed bank fees or losses due to identity theft — are capped at $400 each. Those expenses include up to three hours of lost time at $25 an hour.
Extraordinary out-of-pocket expenses are capped at $2,500 for each person. Class members, though, must provide documentation showing they made reasonable efforts to avoid, or sought reimbursement for, those losses — including exhaustion of all available credit monitoring insurance and identity theft insurance.
Class members also can submit a claim to accept two years of credit monitoring services and identity theft restoration services.
The private Catholic university also agreed to pay all settlement administration costs and attorneys' fees and costs of about $216,000.
The deal represents a "significant benefit" for the 41,825 class members who are eligible to make a claim, lawyers for the plaintiffs said in a court filing. None of the members objected to the settlement, details of which are posted at OLLUsettlement.com.
A hearing on final approval and certification of the class is set for Nov. 15. State District Court Judge Marialyn Barnard granted preliminary approval in July.
Attorneys for the university and the plaintiffs didn't respond to requests for comment Monday.
The university first acknowledged the data breach with a public notice on March 31, 2023 — a week after the San Antonio Express-News first reported on it.
Ana Vasquez, a Texas resident who applied for admission to the university in 2019 but never enrolled, sued the university over the hack in April 2023. She filed on behalf of current and former students, employees and those who had applied to the school. Jose Gonzalez filed a similar complaint less than two months later. The suits were later combined.
The two named plaintiffs stand to receive service awards of $5,000 each.
Vasquez alleged the university on San Antonio's West Side failed to protect individuals' personally identifiable information and "failed to even encrypt or redact this highly sensitive information."
The data was compromised because of Our Lady of the Lake's "negligent and/or careless acts and omissions and its utter failure to protect students' sensitive data," the complaint added.
Vasquez said she suffered injury, including $295 in fraudulent charges to her credit card, invasion of privacy and loss of time mitigating the risk of identity theft.
The Express-News, citing Boerne-based IT consulting firm BetterCyber Consulting Group LLC and Breachsense, an Ohio-based data breach monitoring platform, reported that the ransomware group AvosLocker claimed it hacked into the university's network.
AvosLocker has been linked to online attacks at other colleges.
In October 2023, the FBI and the Cybersecurity & Infrastructure Security Agency issued an advisory on AvosLocker.
"AvosLocker affiliates compromise organizations' networks by using legitimate software and open-source remote system administration tools," the agencies said. "AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data."
Our Lady of the Lake University said its investigation of the data breach found that a "limited amount of personal information was removed" from its network.
©2024 the San Antonio Express-News. Distributed by Tribune Content Agency, LLC.
