EdSecLedger
Breach Analysis5 min read

Clackamas Community College Breach Hits 33,000 After Dual Intrusion

Analysis of the Clackamas Community College data breach affecting 33,381 individuals after two separate unauthorized access events in September and October 2025.

By EdSecLedger
Records: 33,381
Vector: unauthorized access
Status: confirmed
Occurred: Oct 24, 2025Discovered: Sep 10, 2025Disclosed: Jan 8, 2026
Exposed:NamesSSN
Sources:Maine Attorney General

Clackamas Community College disclosed a data breach affecting 33,381 individuals after attackers gained unauthorized access to internal systems on two separate occasions in fall 2025. The Oregon City-based institution filed its notification with the Maine Attorney General on January 8, 2026, revealing a timeline that stretched from initial detection in September through file exfiltration in October.

The breach stands out for its two-phase attack pattern. An initial compromise on September 10, 2025, was detected and the affected user account was reset. Six weeks later, on October 24, a second intrusion succeeded — this time resulting in the theft of files containing personal information including names and other sensitive data elements.

Two Waves of Unauthorized Access

The first signs of trouble appeared on September 10, 2025, when Clackamas IT staff identified suspicious activity tied to a single user account. They reset the account credentials, a standard containment step. That response bought six weeks, but it wasn't enough.

On October 24, the attackers returned. This second intrusion went further — the unauthorized third party accessed systems and exfiltrated files. Clackamas engaged a forensic security firm to investigate and secure the network. The forensic team confirmed that files were acquired from the compromised systems during that October event.

The 44-day gap between the first detection and the successful data theft raises questions about whether the initial response was sufficient. Resetting a single account without a broader investigation of how that account was compromised left the door open for the attackers to find another way in.

Delayed Discovery of Exposed Data

Despite detecting the October intrusion quickly, Clackamas didn't determine what personal information was at risk until December 18, 2025 — nearly two months after the files were stolen. The institution reviewed the exfiltrated files to identify affected individuals and the specific data elements involved.

The notification letter references "Variable Text 1: Data Elements," indicating that different individuals had different combinations of data exposed. Given the one-year IDX credit monitoring offer, the exposed data likely includes Social Security numbers or financial information for at least some victims.

From initial compromise to notification: the timeline ran September 10 to January 8 — roughly four months. Under Oregon's breach notification law (ORS 646A.604), organizations must notify affected individuals within 45 days of discovering a breach. Clackamas appears to have met this requirement, counting from the December 18 data identification date rather than the October 24 intrusion date.

Oregon's Community College Cluster

This breach didn't happen in isolation. EdSecLedger's education breach tracker shows a cluster of Oregon community college breaches in early 2025. Central Oregon Community College reported a breach affecting 5,210 individuals in March 2025, and Lane Community College disclosed a breach impacting 14,275 individuals that same month.

Oregon school districts were hit even harder. At least ten Oregon K-12 districts, including Hillsboro School District 1J (12,549 records) and North Clackamas School District (14,039 records), reported breaches in March 2025. The pattern suggests either a common vulnerability in shared infrastructure or a threat actor systematically targeting Oregon education institutions.

What This Means for Community Colleges

Community colleges face a particularly difficult cybersecurity challenge. They serve large, transient populations — students cycle through every two to four years, adjunct faculty rotate, and community members access systems for continuing education. Each of these user accounts represents a potential entry point.

Clackamas's experience highlights a common failure mode: detecting an intrusion but failing to determine its full scope. The September detection led to a single-account reset rather than a comprehensive investigation. A threat actor who has compromised one account likely has knowledge of the environment that makes re-entry straightforward.

The Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly warned education institutions about persistent threat actors who maintain access through multiple credentials, backdoors, and lateral movement. A single password reset rarely removes an attacker who has already mapped the network.

FERPA and State Privacy Obligations

Community colleges that receive federal funding — which includes virtually all public community colleges — must comply with the Family Educational Rights and Privacy Act (FERPA). If the exfiltrated files contained education records, Clackamas has notification obligations under FERPA in addition to state law.

Oregon's Student Information Protection Act adds another layer of compliance requirements. The state also updated its breach notification statute in 2024 to require notification within 45 days, one of the shorter timelines in the country.

The 33,381 affected individuals represent a significant portion of Clackamas's community — the college enrolls roughly 20,000 students annually, plus staff and former students whose records may have been in the compromised files.

Steps Institutions Should Take

  1. Treat any account compromise as a potential network-wide event. A single compromised account demands investigation of how it was compromised, whether other accounts are affected, and whether the attacker established persistence mechanisms.

  2. Implement network segmentation to limit what an attacker can access from a single compromised account. Sensitive data stores containing PII should require additional authentication layers.

  3. Deploy endpoint detection and response (EDR) tools that can identify file exfiltration in real time, not weeks after the fact.

  4. Review your Oregon-specific obligations. The state's 45-day notification clock starts at discovery — not at the conclusion of the forensic investigation. Institutions should build their incident response plans around this compressed timeline.

  5. Audit shared infrastructure. If your institution shares IT services, managed service providers, or platforms with other Oregon colleges, the cluster pattern demands a proactive security review.

Tags:breachcommunity_collegehackingoregonunauthorized_access

Related Analysis

Fort Scott Community College Breach Compromises SSNs and Financial Data
5 min read
Portland Public Schools Breach Exposes 12,000 Students and Staff
5 min read
Trocaire College Breach Exposes SSNs and Passport Numbers
5 min read