Two federal lawsuits filed against Mercer University allege a data breach earlier this year exposed personal information for more than 93,000 people, including employees and students.
“Criminals can now sell the victims’ data on the black market for the purpose of stealing their identities. None of this would have occurred if Mercer had implemented reasonable data security measures,” one of the suits says.
A spokeswoman for the private Macon-based university declined to comment on pending litigation.
One case, filed Friday in the Northern District of Georgia, is brought by attorneys on behalf of Jennifer Kilkus, an assistant clinical professor at the Yale School of Medicine who taught a course at Mercer in 2016 and 2018.
Kilkus, who lives in Connecticut, received a letter dated May 19 from Mercer notifying her of “unlawful access” into its computer servers that took place in mid-to-late February, according to a copy of the letter included in the court file.
In the letter, Mercer said it “learned of the intrusion on April 5″ and on April 30 discovered that some files may have included individuals’ names in combination with their Social Security number and/or their driver’s license number.
Mercer offered Kilkus and others complimentary membership to an identity theft protection service.
In a May statement to The Atlanta Journal-Constitution, the university said it launched an investigation with the help of law enforcement plus legal and technical consultants. The school said it “has taken extensive measures to protect the privacy of its information.”
Kilkus’ lawsuit describes the breach as “highly foreseeable” and takes issue with how long it took the university to detect the problem and notify victims of the breach.
The suit alleges that Mercer failed to train employees on basic cybersecurity protocols such as effective password management, encryption and how to protect sensitive information.
A second suit, also filed last week in the Northern District of Georgia, lists as its lead plaintiff an unidentified “John Doe” who is described as a Mercer alumnus who lives in LaGrange, Georgia, and is a victim of the breach.
That plaintiff incurred “fraudulent credit card charges” after Mercer notified him of the data issue last month.
Charles Moore, a New York attorney working on that case, told the AJC in an email that firm is adding more alleged victims to the group.
Both suits seek a jury trial and damages, including attorneys’ fees.