Hundreds of thousands of University of St. Thomas files have appeared on the dark web after a summer cyberattack that shut down campus systems and key services. Students, faculty, and alumni say they’ve received little information as experts and law enforcement work to find out what data was stolen, as reported by Houston Chronicle.
According to the Houston Chronicle, investigators found at least 630,000 UST files posted online following the intrusion, which hit roughly 12 days after the university completed an IT-provider transition on July 31. Emails and documents reviewed by the Chronicle show then-CIO Reginald Brumfield raised alarms months earlier—writing that “OculusIT operates very loosely”—and flagged that endpoint protection such as CrowdStrike had not been installed on newly provisioned servers. Public records cited in the reporting also indicate UST paid about $3.8 million to Ellucian between July 2023 and June 2024 for IT services and support surrounding the transition.
Local station ABC13 also reported that a criminal group claimed responsibility for publishing the stolen data, and that university officials have been sparse with public updates. A UST spokesperson told the station specialists were still assessing affected systems and that the university was “working on a statement” as the review continues.
What the files contain
As detailed by the Houston Chronicle, the leaked material appears to include passports and licenses, logins and passwords, bank and credit-card details, donor contact lists, and confidential settlement agreements—in one case showing payouts of up to $400,000. The Chronicle’s review also found records that appear to name students and faculty in sexual-misconduct investigations, along with internal HR and legal files that could carry long-term privacy and reputational consequences. The university has said it will notify and offer credit monitoring to anyone whose statutorily protected information was affected once the third-party review is complete.
Vendor switch left gaps, staff warned
University staff told investigators the switch from Ellucian—a major higher-ed software provider—to OculusIT was meant to modernize services. Several internal messages, however, suggest the transition was rushed and poorly documented. Faculty and IT staff say key protections and inventories weren’t in place when systems were migrated—exactly the kind of gap cybersecurity experts say can hand attackers an easy opening. Not exactly the “modernization” anyone had in mind.
Legal fallout and next steps
At least one plaintiff-side law firm has opened an investigation into potential claims stemming from the breach, inviting people who received notice or suspect they were affected to reach out. For example, Markovits, Stock & DeMarco has posted a public notice about a possible class action related to the UST incident.
How people can protect themselves
Cybersecurity specialists recommend anyone connected to the university assume credentials and financial data could be exposed: change passwords, enable two-factor authentication wherever possible, and monitor bank and credit-card statements for suspicious activity. If you receive a breach notice from UST, keep it for your records and consider placing a fraud alert or security freeze with the major credit bureaus.
