ECSI Data Breach Lawsuit Says Cybercriminals Used Website Search Function to Steal Private Info

New to ClassAction.org? Read our Newswire Disclaimer

A new proposed class action lawsuit accuses Educational Computer Systems, Inc. (ECSI) of failing to protect consumers’ private data during a cyberattack announced last month.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 29-page Heartland ECSI data breach lawsuit alleges that “significant data security flaws” in an online search function on ECSI’s website allowed an unauthorized third party to gain access to personal information belonging to potentially hundreds of thousands of students and individuals affiliated with the financial company’s college and university clients.

According to the April 2024 ECSI data breach notice letter, the company—which provides colleges and universities with financial services related to student loan servicing and tax document preparation—first detected on February 12 of this year an “unusually high volume of access attempts” on an online form that allowed students and borrowers to search and access tax and financial records without having to log into a user profile.

The suit relays that cybercriminals, who had discovered the “security flaw,” manipulated the online “guest” search function to exfiltrate personal and financial data at various times between October 29, 2023 and February 12, 2024.

Per ECSI’s notice letter, the cyberattack compromised data from confidential tax documents, such as the 1098-E and 1098-T forms, which may have listed an individual’s Social Security number and certain details about their tuition, scholarships and student loan payments.

The case contends that “recklessly” negligent cybersecurity on ECSI’s part is to blame for the data breach, which continued for several months before being detected by the company. The complaint charges that ECSI’s online search function—now deactivated—created a “significant security risk” to consumers’ sensitive data because it allowed “anyone on the internet” to access confidential tax forms without logging in and verifying their identity.

To make matters worse, ECSI failed to notify data breach victims until months after the incident was purportedly discovered, the filing claims. Moreover, the notice letter included only “basic details” about the cyberattack and did not explain what precise information was stolen, what specific malware was used and what steps are being taken to protect stored data in the future, the suit asserts.

As a result of ECSI’s alleged negligence, impacted individuals now face a heightened risk of being targeted for cybercrimes, such as identity theft and fraud, the case argues.

The data breach lawsuit looks to represent anyone in the United States whose private and/or financial information was exposed to unauthorized third parties as a result of the data breach experienced by ECSI between October 29, 2023 and February 12, 2024.

Are you owed unclaimed settlement money? Check out our class action rebates page full of open class action settlements.