Simpson College has notified the Office of the Attorney General of Iowa regarding a security breach involving personal information belonging to approximately 107 student athletes. The breach was linked to the Athletic Trainer System (ATS), a third-party vendor that facilitates the upload of personal data, including protected health information, by students. The initial notification from ATS was received by Simpson College on November 17, 2023, indicating that a threat actor may have accessed or acquired sensitive information between January 2020 and January 2021.
Following the initial alert, ATS issued a follow-up letter on November 30, 2023, updating the college on the situation but could not confirm which specific athlete profiles had been compromised. The nature of the personal information at risk was not explicitly detailed, leaving uncertainty about the specific data accessed by the threat actor. Given the lack of clarity regarding the extent of the breach, students whose information may have been involved were left with limited information on the potential risks they face.
In response to the breach, ATS is taking proactive measures, including the implementation of multi-factor authentication for user accounts, aimed at enhancing security and preventing future incidents. Additionally, Simpson College has reinforced the importance of strong password practices among its students, urging them to regularly change their passwords and utilize complex security questions. These steps are intended to mitigate any potential impact from the breach, even though the incident may have occurred over three years ago.
In total, 2,637 individuals in Iowa are being notified about the breach. The college has attached a sample notice letter to inform affected individuals about the breach and the necessary steps they may need to take. Simpson College’s commitment to transparency and communication with students emphasizes the institution’s dedication to safeguarding personal information and ensuring that all stakeholders are informed of potential risks.
Reference:
