Marymount Manhattan College experienced a network disruption on Nov. 12, 2021, which was the result of a cyberattack. This page provides additional details about the incident.
The MMC IT team, working in concert with cybersecurity experts, immediately determined that the network had been accessed without authorization. Upon making this determination MMC:
promptly began working with external cyber and legal experts to investigate and respond to the unauthorized access;
notified and coordinated with all relevant agencies as necessary, including law enforcement;
strengthened the College’s IT network, including deploying state-of-the-art security software on all MMC devices;
took every avenue available to minimize the exposure of any sensitive data that was potentially compromised and worked to successfully recover the data.
A thorough and extensive data review was then conducted and has recently concluded. From that review, it was unfortunately confirmed that personally identifiable information of some members of the MMC community was accessed and acquired during the incident. Those whose information was involved are being notified separately via a mailed letter, which details steps they can take to help protect their personal information.
If your data was involved and the college has address information for you, you will receive a direct notification via the U.S. Post Office detailing the specific information that was involved as well as the steps you can take to further protect yourself. Note that the return address on the letter will have a California PO Box because that is the location of the company the college has partnered with to offer complimentary identity protection services. Those letters were mailed Wednesday, Aug. 3, 2022.
MMC deeply regrets any worry or inconvenience that this causes members of our community.
Frequently Asked Questions
If your data was involved and the college has address information for you, you will receive a direct notification via the U.S. Post Office detailing the specific information that was involved as well as the steps you can take to further protect yourself. Note that the return address on the letter will have a California PO Box because that is the location of the company the college has partnered with to offer complimentary identity protection services. Those letters were mailed Wednesday, Aug. 3, 2022.
You can also call 1-833-764-0235 to ask if your information was accessed. Call center representatives are available Monday through Friday between 9 a.m. and 9 p.m. (Eastern Time). All potentially impacted individuals may qualify for complimentary credit monitoring and identity protection services. Individuals who have not received a notification letter must obtain verification of eligibility through the call center to enroll in services.
The letter informing you of the data security incident is legitimate. It is marked with a California PO Box because that is the location of the company the college has partnered with to offer complimentary identity protection services.
There is no reason to suggest any accessed information was misused, and all compromised data was successfully recovered.
Marymount Manhattan College became aware of a cyberattack against its IT network on Nov. 12, 2021. The attack was discovered by the MMC IT team.
MMC disconnected all impacted equipment, servers, and workstations from the network to contain the attack. These prudent steps resulted in some inconvenient, yet unavoidable, temporary disruption of services. MMC also immediately began working with external cyber and legal experts to investigate the attack and ensure the security of the IT network.
An unknown threat actor accessed our system using an IT network vulnerability that did not require any user interaction but is a very common method used for cyberattacks. Once in the system, a remote desktop application was used to access some files on some of our servers.
A comprehensive data review conducted by external experts discovered that personally identifiable information, including student IDs, date of birth, social security numbers, employee IDs, as well as some other types of information was among the compromised data, involving some past and current students, employees, parents, and applicants to MMC. Individuals whose data was involved received a letter describing the specific information and steps they can take to help protect their information.
MMC was the victim of a cyberattack, and as headlines remind us, some of the largest and most sophisticated organizations, including universities, hospital systems, and utility companies, are the victims of these attacks. MMC has installed new state-of-the-art cybersecurity software on our systems and devices. The integrity of our systems and data at Marymount Manhattan College is something we take very seriously. We continue to increase the security of our systems and data.
As soon as we were aware of the incident, MMC notified the U.S. Department of Education, as well as the FBI.
Yes, but it was very limited. If you were directly impacted, you will be notified.
The integrity of our systems and data at Marymount Manhattan College is something we take very seriously. MMC has installed new state-of-the-art cybersecurity software on our systems and devices. We also are undergoing a review of our data retention and storage policies to ensure we are better aligned with the very best of industry practices. Additionally, MMC:
Implemented additional authentication protocols for systems, applications and remote network access;
Initiated a global password reset for the entire community;
Upgraded cybersecurity endpoint protection software to replace the existing software on all network devices and servers (workstations, laptops, etc.);
Engaged cybersecurity experts to provide ongoing managed response and detection services to monitor and mitigate the risks of further threats;
Engaged a cybersecurity expert to perform a post-breach vulnerability assessment on the network to ensure the effectiveness of protection measures.
There is no evidence to suggest any accessed information was misused, but out of an abundance of caution, MMC is offering all individuals who had information accessed complimentary credit monitoring and ID theft recovery services.
A data review of this nature is extremely time-consuming, even with the support of an outside firm that does this type of analysis routinely. It was necessary to conduct a thorough and complete analysis before impacted individuals could be notified. Although the time between the incident and notification is greater than any of us would prefer, notification took place at the earliest possible moment, which was as soon as the analysis was completed.
