Texas’ University of St. Thomas faced a data breach in August, but following weeks of silence, reporters found that the university had received multiple warnings about data security.
On August 12th, 2025, the University of St. Thomas faced a hacking incident against its servers, preventing students from accessing their course schedules or financial aid information. The incident took place less than a week before the start of the semester, but the school ultimately decided to proceed as usual. At the time, the university initially said no information was compromised and that the servers had been quarantined “out of an abundance of caution.”
Recently, however, it was discovered that the incident did impact students. Ultimately, over 630,000 files were leaked onto the dark web. Information included student and employee names, Social Security numbers, addresses, dates of birth, passport and license information, logins and passwords, and donor contact information. The breach also included staff criminal records, past complaints against staff, vaccination records, and banking information.
Yet, prior to the hack, the university’s Chief Information Officer (CIO) raised concerns about the school’s cybersecurity. According to the Houston Chronicle, St. Thomas had been switching IT providers from Ellucian to Oculus IT.
According to recently revealed emails, in May, 2025, administrators were told that the process was not going well. An Ellucian employee who worked with St. Thomas’ CIO stated, “I am concerned about changes being made on the fly and the lack of thought when it comes to providing access.”
Ellucian’s contract with the university ended less than two weeks before the incident took place. Now, the university is continuing operations with renewed speculation about what may have caused the attack and if the issue could have been prevented.
Information about the incident is still emerging. St. Thomas has yet to provide any public information on its website and appears to still be investigating. According to the CIO at Penn State University and the University of Wisconsin-Madison, it’s possible that the switch between Ellucian to Oculus could have contributed to the incident: times of transition can result in security measures falling short. Had St. Thomas conducted a risk analysis or audited their systems for vulnerabilities, the incident may have been avoided.
While the university is still investigating, it’s a clear reminder to heed the advice of security officials and be mindful whenever switching between software or technology. Every organization, including colleges, should carefully audit their cybersecurity protocols and regularly conduct risk analyses. In healthcare, this issue is especially salient as healthcare data can be extremely valuable on the dark web.
Melanie Fontes Rainer, director of the Office of Civil Rights, has specifically stated, “Failure to conduct a risk analysis leaves health care entities exposed to future hacking and ransomware attacks. OCR urges health care entities to take the necessary steps to reduce risks and vulnerabilities and safeguard protected health information.
It’s currently unclear if St. Thomas will face a suit, but several law firms are trying to gather victim information for a potential case.
No, it’s currently unclear how many individuals were impacted. The school has an enrollment of approximately 4,200. Nevertheless, reports estimate that 630k files were released onto the dark web, likely coming from a mixture of staff and students.