Clackamas Community College in Oregon City has been hit by ransomware for the second time in two years, this time exposing the personal records of 33,381 people — including Social Security numbers, passport numbers, medical information, and financial account data. A class-action lawsuit followed. What happened under the hood is a story about institutional inertia, the industrialization of cybercrime, and a filing cabinet metaphor that no longer holds water.
There is something quietly horrifying about the phrase "dumping ground." That is what Clackamas Community College President Tim Cook used when describing what attackers found on the internal drive they accessed during the school's October 2025 breach. "Looks like the information they got was from our internal drive," Cook said in statements reported by The Clackamas Print. "From what we can tell just by looking at that drive, it's kind of a dumping ground."
A dumping ground. Not an encrypted vault. Not a segmented, access-controlled repository. A place where data accumulates over years without active governance — because that is exactly what institutional file shares tend to become when security spending is perpetually deprioritized and IT teams are stretched thin managing day-to-day operations.
This is the second time in two years that Clackamas Community College has disclosed a ransomware breach. The first occurred in January 2024, claimed by LockBit 3.0 and traced to a Russian IP address, and compromised the records of 8,797 people. LockBit's infrastructure was largely dismantled by international law enforcement roughly a month later, which limited the downstream harm from that incident. That incident prompted law enforcement involvement from the FBI, CISA, the Oregon State Police, and the Department of Homeland Security. A year and change later, a different ransomware operation — Medusa — walked back in through what investigators believe was an initially compromised user account and exfiltrated 1.2 terabytes of data. This time, 33,381 people found letters in their mailboxes.
To understand how this keeps happening — not just at Clackamas but at hundreds of institutions across the country — you need to understand how modern ransomware works, what institutional security postures actually look like from the inside, and why the data sitting on educational systems carries a specific kind of value that criminals have learned to price precisely.
The Timeline: A Breach in Slow Motion
The sequence of events in the Clackamas breach is a near-perfect illustration of what security professionals call dwell time — the period between when an attacker gains access and when they are detected. The longer the dwell time, the more thoroughly the attacker can map the environment, escalate privileges, identify the most sensitive data, and ultimately execute the payload with maximum impact.
Here is what the public record shows, reconstructed from breach notifications submitted to the Maine and Vermont Attorneys General, statements from college leadership, and reporting by The Clackamas Print and Comparitech:
September 10, 2025: Clackamas IT staff detect suspicious activity tied to a specific user account. The account is reset. At this stage, the college appears to treat this as a contained credential incident — not necessarily a full intrusion. No evidence has emerged publicly that a forensic investigation was initiated at this juncture.
October 24, 2025: More suspicious activity is detected. This time, the college moves to contain the network and engages an outside forensic security firm. This is the date on which unauthorized files are confirmed to have been acquired — meaning the data exfiltration happened on this date, whether or not the attacker had been present inside the network since September.
October 29, 2025: The Medusa ransomware group posts Clackamas Community College to its public data leak site on the dark web. Medusa demands $300,000 in exchange for the 1.2 terabytes of data it claims to have stolen and for not publishing it. The clock starts ticking.
December 18, 2025: The forensic investigation concludes. The college formally determines that personal information was compromised. This is 85 days after the first suspicious activity was flagged.
January 8, 2026: Written notifications begin going out to affected individuals. A notice is simultaneously filed with the Maine Attorney General's office, disclosing 33,381 affected persons in the United States — with one individual in Maine and nine in Massachusetts. The notice is also submitted to Vermont's Attorney General.
February 28, 2026: Oregon Live and other outlets report that a class-action lawsuit has been filed stemming from the breach, alleging the college stored students' private information negligently. Law firms including Lynch Carpenter, LLP formally announce they are investigating claims.
The gap between the first suspicious activity (September 10) and the formal breach determination (December 18) spans more than three months. Breach notification laws in most states require notification "in the most expedient time possible" and within specific windows once the breach is confirmed. The gap between confirmation (December 18) and notification start (January 8) — 21 days — is within standard legal windows. The longer question is what happened between September 10 and October 24.
What this timeline reveals is a pattern that appears across dozens of institutional breaches every year: an initial indicator that is contained at the account level without triggering a deeper investigation, followed by a second intrusion event that, in retrospect, may have been the same actor who simply maintained access or regained it quickly after the initial account reset. Password resets do not close a compromised network. They close a door while the attacker is already in the next room.
What Was Taken and Why It Matters
The breadth of data types confirmed in the Clackamas breach is striking, and it is worth examining each category through the lens of what it enables downstream.
According to filings submitted by the college's attorney, Pasha Sternberg, to the Maine Attorney General, and independently confirmed by Lynch Carpenter LLP's public investigation announcement, the compromised records may include names in combination with any of the following: dates of birth, Social Security numbers, student record information, government identification numbers, tax identification numbers, medical information, passport numbers, and financial account information.
Read that list again and think about what a threat actor — or the buyer of that data on a dark web marketplace — can do with it.
A Social Security number combined with a date of birth and a name is sufficient to open credit accounts, file fraudulent tax returns, and apply for government benefits. These are not theoretical harms. The IRS has consistently processed over one million fraudulent refund claims tied to stolen identities annually in recent years, with individual fraudulent refunds averaging over $8,000, according to IRS annual identity theft reporting.
Medical information opens a second attack surface. Medical identity theft — using someone's identity to obtain healthcare, prescription drugs, or insurance payments — is among the most damaging forms of identity fraud because the consequences are not merely financial. Fraudulent entries in medical records can affect actual clinical decisions for victims who may not discover the problem for years.
Passport numbers, when combined with other identity data, are particularly valuable in fraud ecosystems that specialize in international identity packages — documents of identity sold on criminal markets to individuals seeking to establish new personas across jurisdictions. A passport number alone is not actionable, but combined with a birth date, SSN, and a student record showing institutional affiliation, it becomes part of a synthetic identity kit.
Financial account information — a category that includes account numbers, routing numbers, and potentially more specific data depending on what was in those files — enables direct fraud and account takeover.
"That makes it very, very ripe. And then you layer on the fact that [the data] is so sensitive and so longitudinal and so personal, and there's a huge vulnerability." — Noelle Ellerson Ng, School Superintendents Association, via NPR/IBM Think
What makes educational data particularly dangerous is not merely its breadth but its age. The college's own president noted that the compromised data appeared to come from a drive that had accumulated files over time. In the 2024 LockBit breach at the same institution, Clackamas reported that the compromised data was "limited student data mostly from the years 2013 to 2018" — a relatively bounded slice. The 2025 Medusa breach appears to have swept a far broader accumulation: the Maine AG filing discloses data categories including passport numbers, medical information, and tax identification numbers that suggest records spanning multiple decades of institutional history, not just a single archived cohort. Students from the 2013–2018 era are adults now. Their SSNs and dates of birth have not changed. Their credit histories are mature. They may have mortgages, children, business accounts. The attack surface that was opened years ago follows them forward in time indefinitely.
This is the longitudinal trap of educational records: institutions hold data for decades, retention schedules are inconsistently enforced, and the actual risk of a record breached in 2025 extends across the entire remaining lifespan of the person it describes.
Inside Medusa: A Ransomware Franchise
Medusa is not a single hacker or even a single team. It is a Ransomware-as-a-Service (RaaS) operation — a franchise model for cybercrime that has been active since June 2021 and transitioned to an affiliate-based structure sometime around 2023.
To understand why this matters, you need to understand how RaaS actually works at a technical and operational level.
The Franchise Model
In a traditional ransomware operation, the same group develops the malware, gains access to networks, deploys the payload, negotiates the ransom, and receives payment. RaaS decouples these functions. The core developers — often called the "operators" — write and maintain the malware, manage the negotiation infrastructure, run the data leak site, and collect a percentage of each ransom. The "affiliates" — essentially franchisees — are the ones who actually break into networks and deploy the payload. They pay the operators a cut, often 20 to 30 percent, in exchange for access to the malware, the negotiation platform, and technical support.
According to a March 2025 joint advisory from the FBI, CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC), Medusa's core developers recruit initial access brokers (IABs) through criminal forums and offer them between $100 and $1 million USD depending on the value of the target network being sold. An IAB's job is to find and compromise a foothold — a valid credential, an exploitable vulnerability, a phishing payload that lands — and sell that access to Medusa affiliates, who then take over and conduct the actual breach operation.
This means Clackamas was not necessarily targeted by a single actor who found them, researched them, and decided to attack. It may have been targeted because someone, somewhere, had a list of compromised credentials or accessible endpoints — and a Medusa affiliate purchased that access and ran the playbook.
As of February 2025, Medusa had claimed over 300 confirmed victims across critical infrastructure sectors. By the end of 2025, the group's total claimed attacks exceeded 366, representing a 42 percent increase from 2023 to 2024 alone. In just the first two months of 2025, Medusa claimed over 40 new attacks — roughly one every two days. Sources: CISA Advisory AA25-071A (March 2025), Symantec Threat Hunter Team via The Hacker News (March 2025).
The Double Extortion Model
Early ransomware operations worked on a single lever: encrypt the victim's files, demand payment for the decryption key. The problem, from the attacker's perspective, was that a victim with good backups could simply restore and ignore the ransom demand.
Double extortion changes the economics. In a double extortion attack, the threat actor exfiltrates data before encrypting anything. This creates a second, independent extortion vector that backups cannot resolve. Even if Clackamas restored every system from clean backups in 48 hours, Medusa would still hold 1.2 terabytes of sensitive records and would still threaten to publish them unless paid. The ransom is not for the decryption key — it is for silence.
Medusa publishes non-paying victims on its dark web "Medusa Blog," a data leak site that posts stolen documents as proof of access and advertises them for sale. The site runs a countdown timer. Victims can pay $10,000 USD in cryptocurrency to add a single day to the countdown. According to the CISA-FBI advisory, at least one victim who paid the full ransom was subsequently contacted by a separate Medusa actor claiming the negotiator had stolen the payment — a third extortion attempt layered on top of the original two.
The average Medusa ransom demand, according to Comparitech research published in January 2026, is $529,000. Clackamas was demanded $300,000 — below average, which likely reflects the college's constrained financial profile compared to corporate targets. Whether Clackamas paid the ransom is not publicly known; neither the college nor Medusa has confirmed payment or non-payment.
Attribution and Geography
Medusa is believed to operate out of Russia or a Russian-aligned state. Evidence for this includes the group's consistent avoidance of targeting organizations within Russia and the Commonwealth of Independent States, activity on Russian-language dark web forums including RAMP, and intelligence linking the operation to a broader eCrime group called "Frozen Spider," according to Check Point Research. However, Medusa's RaaS structure means that individual attacks may be carried out by affiliates located anywhere in the world. The specific actors behind the Clackamas breach have not been publicly identified.
Separately but relevant to the broader picture: Symantec's Threat Hunter Team reported in February 2026 that North Korea's Lazarus Group has been observed deploying Medusa ransomware as an affiliate, using ransom proceeds to fund espionage operations. Symantec attributes the campaign to Lazarus broadly but declines to name a specific sub-group with confidence — the tactics resemble the Stonefly (also known as Andariel) sub-group's prior operations, but the tools used are not exclusive to Stonefly. This does not mean Lazarus hit Clackamas. It means that Medusa's affiliate model has become attractive enough that nation-state actors are buying in. The ransomware ecosystem is no longer the exclusive domain of financially motivated criminal syndicates.
The Attack Chain, Step by Step
While Clackamas has not publicly confirmed every technical detail of how the attacker gained and maintained access, the general Medusa attack chain is well-documented by CISA, FBI, and independent security researchers. Combined with what the college did disclose — that the initial suspicious activity was tied to a single user account — a probable reconstruction looks like this:
Stage 1: Initial Access
Medusa actors typically gain initial access through one of three primary vectors: phishing campaigns that harvest credentials, exploitation of known vulnerabilities in public-facing applications (particularly Microsoft Exchange Server), or the purchase of access from Initial Access Brokers. The college's disclosure that the first detected activity was tied to "one of its user accounts" is consistent with a credential-based intrusion — either phished credentials, credentials stuffed from a prior breach, or credentials purchased on a dark web marketplace.
Given that Clackamas suffered a separate breach in January 2024, it is also possible that credentials or configuration details from the first breach were retained and used in the second. This is a frequently observed pattern: organizations remediate the most visible damage from one breach but fail to fully audit whether the attacker had established additional persistence mechanisms before being ejected.
Stage 2: Persistence and Lateral Movement
Once inside, Medusa actors are known to deploy legitimate remote monitoring and management (RMM) tools including SimpleHelp, AnyDesk, and MeshAgent to establish persistent remote access that blends into normal IT activity. These tools are used by legitimate administrators every day, which makes them difficult to flag purely on the basis of process behavior.
For enumeration and lateral movement, CISA's advisory documents Medusa's use of Advanced IP Scanner and SoftPerfect Network Scanner — both legitimate network tools — to map the internal environment. Windows Management Instrumentation (WMI) is used for remote execution. PowerShell commands with base64-encoded payloads are used to evade signature-based detection. Medusa actors also employ the Bring Your Own Vulnerable Driver (BYOVD) technique, in which a legitimate but known-vulnerable kernel driver is loaded to disable endpoint detection and response (EDR) software from within the kernel itself — a technique that bypasses traditional antivirus at the most privileged level of the operating system.
# CISA-documented Medusa PowerShell evasion pattern (simplified)
# Base64-encoded commands are used to hide intent from logging tools
powershell.exe -EncodedCommand [Base64EncodedPayload]
# History deletion to cover tracks
Remove-Item -Path $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
# Certutil used to decode and execute payloads, bypassing application controls
certutil.exe -decode encoded_payload.txt output.exeStage 3: Data Discovery and Exfiltration
Medusa actors use tools including Navicat (a database administration tool) to query and access databases, and rclone — a command-line program for syncing files to cloud storage — to exfiltrate data to attacker-controlled servers. RoboCopy, a standard Windows file copying utility, is also documented in Medusa intrusions for staging data prior to exfiltration.
The 1.2 terabytes exfiltrated from Clackamas is consistent with a broad, unsorted sweep of a file share rather than a surgical extraction of specific records. President Cook's description of the source as a "dumping ground" supports this interpretation. The attacker likely ran rclone or a similar tool against the most accessible shared drives, collected everything, and sorted value on the back end — or listed the entire dataset for sale without sorting it at all.
Stage 4: Encryption and Ransom Delivery
After exfiltration, Medusa deploys its encryption payload. The ransomware targets specific file types and appends a .MEDUSA extension to encrypted files. A ransom note — !!!READ_ME_MEDUSA!!!.txt — is dropped in affected directories, directing victims to a Tor-based live chat portal or to contact via Tox, an end-to-end encrypted messaging platform. The note includes a cryptocurrency wallet address and the ransom amount. Victims who do not respond within 48 hours receive direct outreach — phone calls and emails — from Medusa negotiators.
Whether Clackamas systems were actively encrypted in the October 2025 incident is not fully clear from public disclosures. Some Medusa incidents involve encryption of systems; others involve pure data exfiltration with a ransom threat focused entirely on publication. Unlike the January 2024 breach — which forced cancellation of classes for an entire week and took many college systems offline — the October 2025 incident did not produce reports of similar operational disruption, which suggests that if encryption occurred, it was limited in scope.
Why Education Is the Bullseye
Clackamas is not an anomaly. It is a data point in a pattern so consistent that it has become the subject of federal advisories, academic research, and insurance industry risk modeling. Education is the single most targeted sector for ransomware attacks globally. Research from Check Point, widely cited by EDUCAUSE and higher education security publications, found that higher education institutions face nearly 2,300 cyberattack attempts per week. Research from Comparitech logged 49 confirmed ransomware attacks on US educational institutions in 2025 through January 2026, compromising more than 3.8 million records — a figure that has continued to climb as additional breach notifications are filed.
The reasons are structural, and they do not change quickly.
Educational networks are architecturally complex in ways that few enterprise environments match. A community college serves students, faculty, staff, contractors, visiting researchers, and community members — all accessing the same underlying infrastructure with wildly varying levels of security awareness. Students use personal devices on campus networks. Faculty demand administrative rights to install specialized software. The IT team manages everything from badge readers to learning management systems to financial aid portals, often with a staff that would be considered critically understaffed by private-sector standards.
Legacy systems compound this problem. Higher education institutions were early adopters of networked computing, which means they often carry systems and configurations that have been in place for 15 to 20 years. These systems were not designed with modern threat models in mind. They may not support modern authentication standards. Patching them requires careful coordination because they are often deeply integrated with other systems — and in many cases, the vendor no longer exists to provide patches at all.
The data profile of educational institutions is also uniquely attractive. Schools hold a longitudinal record of every student: their legal name, date of birth, Social Security number (required for federal financial aid), emergency contact information, health records (for athletics and accommodation requirements), and in many cases, passport numbers and financial data for international students or scholarship recipients. This data was collected over decades, is rarely purged according to a strict schedule, and lives across a complex mix of official systems and informal file shares — exactly the kind of environment that produces a "dumping ground."
"The biggest problem is the cultural willingness to give up control at institutions. Faculty are used to the autonomy needed to install applications, but I don't necessarily know who has got it or how to control it. And if you don't know what you have and can't reach it readily, then I don't know what my risk is." — Doug Thompson, Chief Education Architect at Tanium, via Inside Higher Ed
Thompson's observation points to something deeper than technical vulnerability: it identifies a governance problem. Academic culture prizes intellectual freedom, open access to information, and individual autonomy. These values are genuinely important. They are also in direct tension with the zero-trust architecture principles, mandatory multi-factor authentication, application whitelisting, and tightly segmented network access that modern security requires. Threading that needle without triggering institutional backlash is one of the most difficult challenges in higher education IT — and it is entirely separate from whether you have the budget to do it.
The Budget Problem That Won't Go Away
The Clackamas breach did not happen because the institution was indifferent to security. Internal reporting from The Clackamas Print reveals that the college's head of IT and a Vice President had both requested additional funds for a comprehensive cybersecurity improvement program expected to take three years — and the funding ran out before completion. The college's overall cybersecurity budget has grown roughly 25 percent since 2022, from approximately $4.5 million to $5.5 million in 2025, according to the same reporting. The IT department requested an additional $2.8 million to reach what they described as a minimum security standard over a three-year improvement window.
"In the meantime Clackamas Community College will not be optimized," IT head Waraich was quoted as saying. "Even if the IT department gets the $2.8 million into the budget as requested, the college is only hitting the minimum standard over the next three years. Not exactly the most reassuring state to find one's personal information in."
This is the institutional trap in high definition: the budget to reach a minimum standard was not approved, the previous cybersecurity contract period ended, and the institution was hit again before the next funding cycle could deliver improvements. The attacker did not need to be sophisticated. The attacker just needed to move faster than a public institution's budget approval process.
Research from Action1 found that 44 percent of educational institutions devote only 10 percent of their total IT budget to cybersecurity, and 78 percent do not employ dedicated cybersecurity specialists. IBM's research on ransomware in education found that the average ransom demand in higher education reached $4.4 million in recent years — far exceeding what most institutions spend on security in any given year. The economics create a perverse attractor state: underfunded security postures make attacks more likely, successful attacks are expensive, and the cost of the attack depletes the budget that should have been spent on prevention.
Moody's, the bond rating agency, found that college and university cybersecurity budgets increased by more than 70 percent over the five years ending in 2024. That sounds significant. But when the baseline is insufficient, a 70 percent increase still leaves you below threshold — and it does nothing to address the legacy infrastructure, the cultural resistance to access controls, or the data governance debt accumulated over decades of unmanaged file share growth.
The Legal Aftermath
The class-action lawsuit reported by Oregon Live on February 28, 2026 follows a well-worn legal path. The suit alleges that the breach occurred because the college stored students' private information negligently — a claim that will center on whether Clackamas implemented reasonable security measures given the sensitivity of the data it held, the known threat landscape facing educational institutions, and its own prior breach history.
That prior breach history is important. Courts and regulators increasingly view a second breach as evidence that an organization failed to adequately remediate the vulnerabilities exposed in the first. When an organization experiences a ransomware attack in January 2024, receives federal law enforcement assistance, acknowledges the compromise of thousands of records, and then experiences a second ransomware attack from a different group in October 2025, the question "what did you fix?" becomes central to the legal analysis.
Lynch Carpenter LLP, a class action firm that has filed numerous data breach cases nationally, announced in January 2026 that it is investigating claims against Clackamas. Under Oregon's Consumer Information Protection Act (ORS 646A.600-646A.628), organizations must notify affected Oregon consumers whose personal information was subject to a breach of security and must provide a sample notice to the Oregon Attorney General when more than 250 consumers are affected. Multiple state attorneys general received filings in this case, including Maine and Vermont — states where affected individuals apparently reside.
Clackamas has offered affected individuals one year of free credit monitoring and identity theft protection through IDX, a standard remediation offer in breach litigation contexts. Whether this offer will factor into the class action's damages analysis remains to be seen. Courts have increasingly recognized that credit monitoring, while useful, does not fully compensate for the long-tail risk of identity theft that can persist for years after a breach. The combination of SSNs, medical data, passport numbers, and financial account information disclosed in this breach creates a harm profile that one year of credit monitoring cannot fully address.
Clackamas Community College is a public institution. Class action suits against public entities involve procedural complexities, including potential sovereign immunity questions and Oregon Tort Claims Act limitations on damages. These factors will shape the litigation strategy and potential settlement value. Affected individuals seeking to join the suit should contact a qualified attorney promptly, as state-specific statutes of limitations apply.
The broader legal landscape around educational data breaches is evolving. FERPA (the Family Educational Rights and Privacy Act) governs the privacy of student education records but is enforced by the Department of Education rather than through a private right of action — meaning students cannot sue under FERPA directly. Plaintiffs in data breach cases against educational institutions therefore typically rely on state negligence, breach of implied contract, or consumer protection statutes, as the Oregon suit appears to do. The absence of a federal private right of action under FERPA has long been a gap that plaintiffs' attorneys have worked around, and recent state legislative activity suggests that more states may eventually create stronger statutory causes of action specifically for educational data breaches.
What Affected Individuals Should Do Right Now
If you received a breach notification letter from Clackamas Community College, or if you attended or worked at the institution and have not received a letter but believe your records may be in scope, the following steps reflect standard best practices for responding to a breach of this scope. These are not hypothetical — the data types confirmed in this breach create specific, actionable risks.
Place a credit freeze at all three major bureaus. A credit freeze is free and prevents new credit accounts from being opened in your name. It is stronger protection than a fraud alert. Contact Equifax (equifax.com), Experian (experian.com), and TransUnion (transunion.com) directly. A freeze does not affect your existing accounts or credit score. You can temporarily lift it when you legitimately need to apply for credit.
Place a fraud alert. A fraud alert requires creditors to take additional verification steps before extending credit in your name. Unlike a credit freeze, a single alert at one bureau is automatically shared with the other two. An extended fraud alert, available to confirmed identity theft victims, lasts seven years.
File an IRS Identity Protection PIN request. Given that SSNs and tax identification numbers were among the compromised data types, the IRS IP PIN program — which assigns you a six-digit PIN required to file your federal tax return — is an important protection against fraudulent tax filings. Available at irs.gov/identity-theft-central.
Monitor your medical records. Medical identity theft is underreported and slow to surface. Review your Explanation of Benefits statements carefully for services you did not receive. Request a copy of your medical records from major providers if you have concerns. Contact your insurer if you see anomalies.
Enroll in the IDX monitoring offered by Clackamas. The one year of monitoring provided is limited, but it is free and provides real-time alerting for certain types of fraudulent activity. Do not skip it simply because it is insufficient — treat it as a floor, not a ceiling.
Consider long-term monitoring beyond one year. The data compromised in this breach will not expire. SSNs, birth dates, and passport numbers remain actionable indefinitely. The risk does not end when the free monitoring period does.
Key Takeaways
- Credential incidents are not contained by password resets alone: The September 2025 suspicious activity at Clackamas was addressed by resetting an account. Six weeks later, the same or a related actor exfiltrated 1.2 terabytes. A credential incident triggers a need for full forensic investigation of what access was possible during the period of compromise — not just account remediation.
- Medusa is a franchise, not a single actor: The RaaS model means that Medusa attacks can be carried out by any number of affiliates who purchase access and deploy a standardized toolkit. Attribution is difficult, remediation is urgent regardless of attribution, and the affiliate structure means that disrupting one actor does not disable the operation.
- Data retention policies are a security control: A file share described as a "dumping ground" is a liability. Data that is not retained cannot be exfiltrated. Institutions holding sensitive records from 2013 onward — records that may have been required at the time but serve no current operational need — carry risk that scales with the age and volume of what they hold. Retention schedules are not merely compliance paperwork. They are risk management decisions.
- The second breach standard in litigation is severe: Organizations that experience a ransomware attack, receive extensive remediation guidance, and are then hit again face a significantly higher evidentiary burden to demonstrate reasonable care. The prior 2024 LockBit breach and the subsequent federal law enforcement engagement create a documented awareness of the threat environment that will be central to the current lawsuit. The fact that two separate ransomware groups — LockBit 3.0 in 2024 and Medusa in 2025 — both found Clackamas to be a viable target speaks directly to the persistence of the underlying vulnerabilities.
- Budget gaps compound over time: Security improvement programs that are interrupted mid-cycle leave institutions in a worse position than either completing the program or not starting it — because partially implemented controls can create false confidence while leaving critical gaps unaddressed. The Clackamas IT department's own assessment that it would "only be hitting minimum standard over the next three years" even with full funding should be a signal to every institution still treating cybersecurity as a secondary line item.
- Educational data harm is longitudinal: A breach of records that includes SSNs and birth dates of students from 2013 to the present creates a risk profile that extends across the entire remaining lifetime of those individuals. One year of credit monitoring addresses a fraction of that exposure. Affected individuals should treat this as a permanent status change to their identity risk profile, not a one-time event to be managed and forgotten.
The Clackamas breach is a case study, but it is not a cautionary tale in the sense of being unusual. It is a cautionary tale in the sense of being representative. Across the country, community colleges, state universities, and K-12 districts hold decades of sensitive records in infrastructure that was never designed to defend against industrialized cybercrime. The attackers have built a franchise model. The targets have not yet built a commensurate defense. Until that changes — through sustained funding, genuine governance reform, and the political will to treat educational data with the same seriousness as financial data — the timeline described in this article will keep repeating itself, with different names and the same outcome.
Thirty-three thousand people received letters in January. The drive they came from has been described, by the college's own president, as a dumping ground. That phrase deserves to outlive this news cycle.
Sources: CISA Joint Advisory AA25-071A (March 12, 2025) — cisa.gov; Maine Attorney General breach filing via The Clackamas Print (February 2026); Comparitech breach coverage (January 9, 2026) and Education Ransomware Roundup 2025 — comparitech.com; Lynch Carpenter LLP announcement via Globe Newswire (January 12, 2026); Check Point Research Medusa analysis (August 2025) — checkpoint.com; Symantec/Broadcom Threat Hunter Team, "North Korean Lazarus Group Now Working With Medusa Ransomware" (February 2026) via The Hacker News and security.com; The Clackamas Print, "Cyber attack causes college to cancel classes" (January 2024) and "Nearly 9,000 students have data compromised" (May 2024); IBM Think ransomware in education (2025) — ibm.com/think; Inside Higher Ed (July 2024); EDUCAUSE Review cybersecurity in higher education (2024); Check Point Research cyberattack frequency in education; Oregon Live class action report (February 28, 2026); Vermont Attorney General breach notice filing (January 8, 2026); Action1 / BreachSense breach data; Picus Security Medusa analysis (March 2025) — picussecurity.com; CrowdStrike Frozen Spider adversary profile; IRS identity theft annual reporting.