University of St. Thomas Houston hit by ransomware attack, 1.8 TB of data exposed

The University of St. Thomas in Houston, Texas reports a ransomware attack that compromised university servers and resulted in the theft of approximately 1.8 terabytes of data, potentially containing information of students, faculty, staff, alumni, and donors. 

University of St. Thomas is a private Catholic university, which enrolled more than 4,300 students in fall 2024 and employs over 350 staff members.

University officials initially reported the incident on August 13, 2025, reporting it as an attempted unauthorized access to campus servers. At the time, Interim President Dempsey Rosales Acosta informed the university community via email that IT teams had proactively quarantined affected servers as a precautionary measure and stated there was no indication that university information had been compromised. The university's website and login portals remained largely inaccessible for approximately nine days, with a new limited-functionality version of the website reappearing around August 20, 2025, allowing partial access to systems such as Blackboard and email.

The ransomware attack was claimed by the Inc ransomware gang on September 3, 2025. The group stated they stole 1.8 terabytes of data. According to documents reviewed by the Houston Chronicle that were posted on the ransomware gang's leak site, the exposed data includes:

• Staff credit card numbers, bank account information, and Social Security numbers
• Employee passports and driver's licenses
• Login credentials and passwords to work-related accounts
• Student home addresses, email addresses, and phone numbers
• Donor contact information and financial details
• Monthly country club membership fee information
• Confidential settlement agreements between the university and former top-level leaders, including payouts reaching $400,000 in documented cases
• Investigations into student complaints of sexual harassment and misconduct by professors, with both students and accused employees identified by name
• Disciplinary action records and internal investigation documents
• Lawsuit details and legal proceedings involving the university
• Campus police activity reports and security incident documentation
• Financial breakdowns of annual presidential trips abroad with school supporters to international destinations including Poland, Lithuania, the Holy Land, Greek Isles, and the Netherlands
• Internal communications and correspondence from senior administrative offices
• Academic records and institutional documentation

The number of affected individuals is not disclosed. The 1.8 terabytes of stolen data could theoretically contain several million individual documents, so the breach may have impacted a significant portion of the university community and its extended network.

University President Sinda K. Vanderpool reported that formal notifications would be provided to impacted parties after completion of the investigation. On September 10, 2025, President Vanderpool followed up with an email offering free credit monitoring codes to students, faculty, and staff as a precautionary measure.

Multiple faculty members reported to the Houston Chronicle that they had not received substantive updates from university administration since early September, despite the fact that stolen data remained publicly accessible on the dark web for over one month. The university's official website and social media channels contain no public statements or acknowledgments of the cyberattack, according to reporting from multiple news outlets.