Baker University has revealed a data breach where unauthorized individuals accessed its network in December 2024, compromising the personal, health, and financial data of more than 53,000 people.
Established in 1858, Baker University is a private institution located in Baldwin City, Kansas, serving nearly 2,000 students and employing over 300 staff members.
The university identified unusual network activity following an outage in December 2024. An investigation determined that attackers had unauthorized access to its systems between December 2 and December 19, during which sensitive documents were exfiltrated.
In a breach notification letter published on its website, Baker University stated, “Through this review, Baker University determined that information which may have been involved included data related to those affiliated with Baker University.” The notice confirmed the involvement of data pertaining to individuals associated with the institution.
The compromised data varied for each individual but could include names, dates of birth, driver’s license numbers, financial account details, health insurance information, medical records, passport information, Social Security numbers, student identification numbers, and tax identification numbers.
A disclosure to the Office of the Maine Attorney General indicated that the data breach affected 53,624 individuals.
Although the university has not found evidence of the stolen information being used fraudulently, it is providing free credit monitoring services to affected individuals. Those potentially impacted are advised to regularly review their account statements and credit reports for any unusual activity.
Baker University president Jody Fournier stated, “The confidentiality, privacy, and security of our Baker community’s personal information is one of our university’s highest priorities.” Fournier added that the university’s team has collaborated with external cybersecurity experts since the incident, leading to the rebuilding of a primary platform that was compromised.
The specific nature of the attack and the identity of the perpetrators, whether a cybercrime operation or a state-sponsored group, have not yet been disclosed by the university.
Other U.S. universities have also experienced breaches recently, including Harvard University, Princeton University, and the University of Pennsylvania. These institutions reported that their development and alumni systems were compromised in voice phishing attacks, leading to the theft of personal data belonging to students, alumni, donors, and staff.
Additionally, the Clop ransomware group targeted Harvard University and the University of Pennsylvania through a data theft operation. This campaign leveraged a zero-day vulnerability in their Oracle E-Business Suite (EBS) financial platforms, resulting in the theft of sensitive personal and financial data from students, staff, and suppliers.
