Albion College Data Breach Exposes Sensitive Personal Info

On April 18, 2025, Albion College, a private liberal arts institution in Albion, Michigan, concluded an investigation into a significant data breach that exposed the personal information of 6,930 individuals across the United States. The breach, which was first discovered on December 17, 2024, involved unauthorized access to the college’s network.

According to official disclosures, the compromised data included a wide range of sensitive information: names, Social Security numbers, government-issued identification numbers (such as passports and state ID cards), financial account details (including account numbers and credit or debit card numbers), and medical information.

The breach was first reported to the Maine Attorney General’s office, Texas Attorney General’s office, and Massachusetts Attorney General’s office on May 2, 2025, after the college completed its internal review. The number of affected individuals includes 275 in Texas, 3 in Maine, and 10 in Massachusetts.

The breach has been attributed to the MEDUSA ransomware group, which claimed responsibility on its dark web portal and threatened to publish stolen data within 11 to 12 days, even providing sample screenshots as proof. The attack was classified as a ransomware incident and was posted on the Tor network.

Albion College's response

In response to the breach, Albion College immediately launched an investigation with the assistance of external cybersecurity professionals specializing in these types of incidents. The college reviewed the scope of the attack and identified all individuals whose information had been accessed or removed. Written notifications were sent to affected individuals via U.S. Mail beginning May 1, 2025.

To support those impacted, Albion College is offering a complimentary one-year membership in Equifax® Credit Watch™ Gold. This service includes credit monitoring, daily access to credit reports, WebScan notifications for compromised information, automatic fraud alerts, identity restoration assistance, and up to $1,000,000 in identity theft insurance coverage. Instructions for enrolling in this service are provided in the official notification letter.

Given the nature of the breach—specifically the involvement of ransomware and the theft of both PII and PHI—affected individuals are strongly encouraged to:

• Enroll in the free credit monitoring service provided.
• Place a fraud alert or security freeze on their credit files with major credit bureaus.
• Regularly review financial statements and credit reports for suspicious or unauthorized activity.
• Contact their financial institutions to discuss additional protective measures, such as closing or changing account numbers.
• Remain vigilant for any signs of identity theft or misuse of medical information.

Additional resources and detailed instructions for identity theft prevention, credit monitoring enrollment, and contacting relevant authorities are included in the official notice, which will be available in PDF format at the bottom of this page.