Baker University Discloses Year-Old Breach Affecting Over 53,000 Individuals

Baker University Notifies 53,624 Individuals of 2024 Data Breach Exposing SSNs, Health, and Financial Data

CRITICAL
December 23, 2025
December 28, 2025
5m read
Data BreachIncident ResponseOther

Impact Scope

People Affected

53,624

Affected Companies

Baker University

Industries Affected

Education

Geographic Impact

United States (national)

Related Entities(initial)

Organizations

Office of the Maine Attorney General

MITRE ATT&CK Techniques

T1078Defense Evasion

Valid Accounts

T1003Credential Access

OS Credential Dumping

T1046Discovery

Network Service Discovery

T1021Lateral Movement

Remote Services

Full Report(when first published)

Executive Summary

Baker University, a private university in Kansas, has disclosed a major data breach that occurred a year ago, impacting 53,624 individuals. According to the notification, unauthorized actors had access to the university's network for a 17-day period in December 2024. The attackers accessed and potentially exfiltrated a vast amount of highly sensitive personal, financial, and health information. Compromised data includes Social Security numbers, financial account details, passport numbers, and medical information. The university's one-year delay in notifying victims raises significant concerns about its incident response process. All affected individuals are being offered complimentary credit monitoring services.

Threat Overview

The security incident took place between December 2, 2024, and December 19, 2024, during which time an unauthorized party had persistent access to Baker University's network. The breach was first detected in December 2024 after a network outage prompted an investigation with external cybersecurity experts. However, the full scope and the notification to victims were not finalized until a year later.

The breach exposed a wide array of sensitive data, creating a high risk of identity theft and fraud for the victims. The compromised information includes:

  • Names and dates of birth
  • Social Security numbers (SSNs)
  • Student and tax identification numbers
  • Financial account information
  • Health insurance and medical information
  • Passport numbers

While the university states it has no evidence of the data being misused, the long exposure time and the value of the stolen information make misuse highly probable. The identity of the attackers and the specific vector of compromise have not been disclosed.

Technical Analysis

The long dwell time (17 days) suggests the threat actors were skilled at remaining undetected after their initial intrusion. This often involves using legitimate credentials and tools to blend in with normal network activity.

MITRE ATT&CK Techniques (Inferred)

  • T1078 - Valid Accounts: Attackers likely used compromised credentials to gain initial access and move laterally within the network.
  • T1003 - OS Credential Dumping: To escalate privileges and gain wider access, attackers would have targeted stored credentials on compromised systems.
  • T1046 - Network Service Discovery: Once inside, the attackers would have scanned the network to identify servers containing valuable data, such as student information systems and financial databases.
  • T1021 - Remote Services: Lateral movement was likely achieved by using remote services like RDP or SMB to access other systems on the network.
  • T1567.002 - Exfiltration Over Web Service: The attackers would have staged and exfiltrated the stolen data, possibly over encrypted web channels to avoid detection.

Impact Assessment

The impact of this breach is critical for the 53,624 affected individuals. The combination of SSNs, financial data, and health information is a 'full package' for identity thieves, enabling them to open new lines of credit, file fraudulent tax returns, and commit medical fraud. The university faces severe reputational damage, particularly due to the one-year delay in notification, which may violate breach notification laws in various jurisdictions and could lead to regulatory fines and class-action lawsuits. The incident highlights a potential failure in the university's incident response and communication strategy.

Cyber Observables for Detection

To detect similar intrusions, organizations should monitor for:

Type Value Description
Event ID 4624 (Logon) Monitor for successful logons at unusual times or from unexpected IP addresses.
Process Name lsass.exe Alert on suspicious processes attempting to access the memory of lsass.exe, a common credential dumping technique.
Network Traffic Pattern Large, unexpected data flows to external destinations. An indicator of data exfiltration.
Log Source VPN logs, Firewall logs, EDR alerts Correlate alerts across different security tools to build a picture of an attack campaign.

Detection & Response

  1. Endpoint Detection and Response (EDR): An EDR solution is essential for detecting the techniques used in such an attack, including credential dumping and lateral movement. It provides the visibility needed to spot malicious behavior that legacy antivirus would miss.
  2. Log Aggregation and SIEM: Centralize logs from all critical systems (domain controllers, file servers, firewalls) into a SIEM. Create correlation rules to detect patterns of attack, such as a user logging in from multiple locations simultaneously or accessing an unusual number of sensitive files.
  3. Incident Response Plan: The one-year notification delay indicates a potential gap in the IR plan. A well-defined plan must include clear timelines for investigation, containment, and communication, in compliance with all relevant regulations.
  4. D3FEND Techniques: Utilize D3-PA - Process Analysis to detect suspicious command-line activity and D3-UBA - User Behavior Analysis to identify compromised accounts exhibiting anomalous behavior.

Mitigation

  1. Multi-Factor Authentication (MFA): Enforce MFA across all services, especially for remote access and access to sensitive systems. This is one of the most effective controls against credential-based attacks.
  2. Network Segmentation: Segment the network to prevent attackers from moving freely after an initial compromise. Isolate critical systems (like student databases) from the general user network.
  3. Privileged Access Management (PAM): Implement PAM solutions to tightly control and monitor the use of administrative accounts. This helps prevent privilege escalation.
  4. Data Backup and Recovery: While this was a data theft incident, having robust, offline backups is critical for recovering from a destructive attack that might accompany data exfiltration.
  5. D3FEND Countermeasures: Implement D3-NI - Network Isolation to limit an attacker's lateral movement capabilities. Enforce a D3-SPP - Strong Password Policy and MFA to make initial access more difficult.

Timeline of Events

1
December 1, 2024
The university detects the breach following a network outage and begins an investigation.
2
December 2, 2024
Threat actors gain unauthorized access to Baker University's network.
3
December 19, 2024
The period of unauthorized access ends.
4
December 1, 2025
Baker University begins notifying the 53,624 affected individuals, one year after the breach.
5
December 23, 2025
This article was published

Article Updates

December 28, 2025

New technical analysis detailing different inferred TTPs (phishing, persistence, discovery, collection) and D3FEND recommendations for the Baker University breach. Additional sources included.

Update Sources:
cybermanagementalliance.comDec 2025: Biggest Cyber Attacks, Ransomware Attacks and Data Breaches
bleepingcomputer.comBaker University says 2024 data breach impacted 53,000 people

MITRE ATT&CK Mitigations

Network Segmentation

M1030enterprise

Isolate critical data stores from the general network to prevent lateral movement and limit the scope of a breach.

Multi-factor Authentication

M1032enterprise

Enforce MFA to protect against credential compromise and unauthorized access.

Privileged Account Management

M1026enterprise

Strictly control and monitor administrative accounts to prevent privilege escalation.

Audit

M1047enterprise

Implement comprehensive logging and auditing to enable timely detection of and response to security incidents.

D3FEND Defensive Countermeasures

Multi-factor Authentication

D3-MFAMaps to MITREM1032
D3FEND

The most critical preventative measure for an incident like the Baker University breach is the mandatory enforcement of Multi-factor Authentication (MFA) across all user accounts, especially for remote access (VPN) and access to sensitive applications like the student information system. Had MFA been in place, a compromised password alone would not have been sufficient for the attackers to gain initial access and maintain it for 17 days. Implementing MFA drastically increases the difficulty for attackers to leverage stolen or weak credentials, effectively stopping many account takeover attempts at the front door.

Network Isolation

D3-NIMaps to MITREM1030
D3FEND

To limit the 'blast radius' of a compromise, Baker University should have implemented robust network segmentation. Critical servers containing sensitive student, financial, and health data should be isolated in a secure enclave with strict ingress and egress filtering. This would prevent an attacker who compromises a standard user workstation or a less critical server from easily moving laterally to access the organization's 'crown jewels.' The 17-day dwell time suggests the attackers were able to move freely within a flat network. Proper isolation would have contained the breach and significantly reduced the amount of data the attackers could access and exfiltrate.

Process Analysis

D3-PAMaps to MITREM1049
D3FEND

Deploying an Endpoint Detection and Response (EDR) solution capable of deep process analysis would have provided the visibility needed to detect the attackers' activities. Techniques like credential dumping (e.g., accessing lsass.exe memory), using remote services for lateral movement (e.g., PsExec), and network reconnaissance (e.g., running 'net user /domain') create anomalous process behaviors. An EDR tool would flag these activities, allowing security analysts to investigate and intervene long before the attackers could spend 17 days on the network. This is crucial for detecting the post-compromise TTPs that lead to a large-scale data breach.

Sources & References(when first published)

More than 53K impacted by Baker University hack
SC Magazine (scmagazine.com) December 23, 2025
Baker University Data Breach Exposes Personal Information of Over 50,000 Individuals
teiss (teiss.co.uk) December 23, 2025
Baker University says 2024 data breach impacts 53,000 people
BleepingComputer (bleepingcomputer.com) December 23, 2025
Baker University Data Breach Affects 53K; Attorneys Investigating
ClassAction.org (classaction.org) December 22, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

university breachidentity theftsocial security numberhealth dataPIIbreach notificationincident response

📢 Share This Article

Help others stay informed about cybersecurity threats