The president of Trocaire College confirmed that hackers accessed sensitive information in a cyberattack. While no misuse of the stolen data has been detected so far.
Cyberattack at Trocaire College Exposes Sensitive Data
A cyberattack at Trocaire College last year exposed personal information of thousands of current and former students and employees, but victims were not notified for nearly 10 months.
That delay is among the allegations in three separate lawsuits seeking class-action status to sue the private college in Buffalo. The lawsuits also accuse Trocaire of lacking standard cybersecurity safeguards to protect sensitive information.
The stolen data included names and Social Security numbers, information considered a gold mine for hackers because they can be used to gain access to or open financial accounts and file fraudulent tax returns, among other crimes.
Trocaire detected the cyberattack on March 13, 2025, and believe more than 23,000 people could be impacted, according to a notice the college filed with the Maine Attorney General, and obtained by News 4 Investigates.
News 4 Investigates also obtained letters to attorneys general in Maine and New Hampshire, stating the college “immediately took steps to secure the network, and initiated an investigation, aided by independent cybersecurity experts, to determine what happened and whether sensitive
information may have been affected.”
Ex‑DEA agent who shielded drug organization sentenced to 5 years
Those letters sent by Constangy Brooks Smith & Prophete, which represents Trocaire, say the college finished its review on Dec. 4, 2025, and “notice was provided promptly thereafter.”
However, all three lawsuits dispute that claim, criticizing Trocaire for failing to alert students and employees sooner.
The college began alerting potential victims on Jan. 16, and notifications to attorneys general took even longer. For example, the letters to the attorneys general of New Hampshire and Maine are dated Jan. 28.
“Immediate notification of a Data Breach is critical so that those impacted can take measures to protect themselves,” according to the federal lawsuit filed by LEVI & KORSINSKY, LLP, who represents a former Trocaire employee, Challis Graham. “Here, Defendant waited for ten months after being made aware of the Data Breach to notify impacted individuals.”
Graham’s lawsuit alleges she experienced a “significant uptick in spam calls, messages, and emails,” following the cyberattack. The lawsuit also notes that stolen personal information “is often trafficked on the dark web, a heavily encrypted part of the Internet that is not accessible via traditional search engines.”
Criminals sell Social Security Numbers, credit card numbers and other sensitive data on the dark web while concealing their identities through encryption, the lawsuit states.
