Monmouth University in New Jersey has been hit by the PEAR (Pure Extraction and Ransom) cybercriminal group, which claims to have stolen 16 terabytes of institutional data — 28 times the average volume exfiltrated in comparable ransomware attacks. University President Patrick Leahy confirmed the incident to the campus community via email, acknowledging unauthorized access to university information and stating that cybersecurity experts and law enforcement have been engaged. PEAR has claimed responsibility for 64 ransomware attacks to date, with 13 victim-confirmed. Six of those targets were educational institutions.

What Happened

The PEAR group posted Monmouth University to its dark web leak site this month, claiming the theft of 16TB of institutional data. Shortly after, University President Patrick Leahy sent a direct email to students confirming an incident that "resulted in unauthorized access to some information" — a measured acknowledgment that the attack was real, while stopping short of confirming PEAR's 16TB figure.

Leahy's email confirmed two key response actions: cybersecurity specialists have been retained for forensic investigation, and law enforcement has been notified. The university has warned students to be on high alert for phishing campaigns impersonating university communications — a practical indicator that student and staff data is considered at risk of exploitation.

Comparitech's head of data research Rebecca Moody characterized the 16TB claim as "extensive" and flagged the scale as a significant outlier in the higher education breach landscape. The investigation is ongoing and the full scope of compromised data has not been confirmed by the university.

PEAR operates under a double-extortion model: exfiltrate data before deploying ransomware (or threatening to), then demand payment under threat of public release. The group's 64-attack portfolio and 13 confirmed victims suggests a mid-tier but operationally active RaaS operator with a demonstrated pattern of targeting institutions with weaker security postures and high public accountability — characteristics that define most U.S. universities.

What Was Taken

PEAR claims 16TB of data — unverified but unchallenged by the university at time of writing. For a mid-sized private university like Monmouth (approximately 6,000 students), a university-wide data breach would typically encompass:

• Student records — names, dates of birth, Social Security numbers, enrollment status, academic transcripts, grades, disciplinary records
• Financial aid data — FAFSA information, aid packages, Expected Family Contribution data, federal student loan details
• Employee and faculty records — HR files, payroll data, SSNs, benefits enrollment, employment contracts
• Research data — if Monmouth faculty conduct funded research, grant documentation, proprietary research datasets, and IRB-approved study data may be included
• Health records — student health center data, Title IX records, disability accommodations, counseling records
• Financial records — tuition payment histories, billing accounts, vendor contracts, endowment-adjacent financial documentation
• IT infrastructure data — network diagrams, system credentials, Active Directory exports — the category most useful for lateral movement or follow-on attacks

At 16TB, the claimed scope is consistent with a full institutional data sweep rather than targeted file selection — suggesting either extended network access, automated bulk exfiltration tooling, or both.

Why It Matters

16TB is an outlier that demands scrutiny. Comparitech's benchmark places this claim at 28x the average higher education breach exfiltration volume. That scale either reflects an unusually open network architecture, prolonged undetected access enabling comprehensive data harvesting, or exaggeration by the threat actor for extortion leverage. Any of the three scenarios is concerning: the first two represent operational security failures; the third still means significant data was stolen.

PEAR is establishing a pattern against education. Six of PEAR's 13 confirmed attacks targeted educational institutions — a 46% sector concentration rate that is not coincidental. Universities are systematically attractive targets: large, complex networks with thousands of users, minimal security investment relative to their data footprint, strong public accountability that creates pressure to restore operations quickly, and data categories (student records, health data, financial aid) that are immediately monetizable. PEAR has identified this sector as a reliable revenue stream.

Student data carries compounded, long-duration harm. Unlike corporate breach victims who can monitor financial accounts, students may not discover the downstream effects of SSN exposure for years — particularly 18-22 year olds establishing credit histories for the first time. A student whose FAFSA data and SSN were stolen in this breach may encounter fraudulent tax filings, student loan fraud, or synthetic identity accounts years after graduation.

Law enforcement notification signals severity. Universities often handle incidents internally and notify regulators without engaging law enforcement. Leahy's explicit mention of law enforcement engagement — alongside the public notification — indicates institutional leadership is treating this as a serious criminal matter, not a contained IT incident.

The Attack Technique

No technical intrusion details have been confirmed by Monmouth or investigating forensic teams. PEAR's operational profile and higher education attack patterns point to the following likely entry paths:

• Phishing targeting students, faculty, or administrative staff — university email systems receive enormous volumes of external mail; phishing success rates in academic environments consistently exceed enterprise benchmarks due to lower security awareness training penetration
• Exposed RDP or VPN infrastructure — many universities expanded remote access during COVID-era distance learning without systematic post-pandemic hardening; legacy remote access endpoints without MFA remain widespread in higher education
• Exploitation of unpatched systems — university IT patch cycles are frequently governed by academic calendar constraints (avoiding patching during finals, etc.) that create predictable vulnerability windows
• Credential stuffing using student or staff credentials from prior breaches — university-affiliated email addresses appearing in dark web breach compilations are routinely tested against institutional SSO and VPN portals
• Third-party vendor or EdTech platform compromise — universities integrate dozens of external platforms (LMS, student information systems, financial aid portals) each representing a potential lateral entry point

PEAR's "Pure Extraction and Ransom" branding suggests the group prioritizes data theft over encryption — consistent with a network access pattern that enables broad, sustained data collection over a prolonged dwell period before any ransom demand is surfaced.

What Organizations Should Do

1. Treat 16TB claims as a worst-case baseline for notification scope. University incident response teams should not wait for forensic confirmation of every file touched before initiating notifications. The combination of PEAR's public claim and Leahy's confirmation warrants broad proactive notification to students, staff, faculty, alumni, and research partners — with specific guidance on monitoring for identity fraud, phishing, and fraudulent financial aid activity.

2. Audit all remote access infrastructure for MFA coverage immediately. Universities with any RDP, VPN, or web-based portal access that does not require MFA should treat that gap as a critical vulnerability requiring same-week remediation. FIDO2 or TOTP-based MFA on all externally accessible authentication points is the minimum standard. Prioritize administrative, financial aid, and student records system access.

3. Segment student, health, financial, and research data environments. A breach that can sweep 16TB suggests a flat or loosely segmented network where a single compromised credential can traverse multiple data stores. Implement hard network segmentation between student information systems, health records (HIPAA-covered), financial systems, and general administrative infrastructure. A breach in one segment should not enable access to the others.

4. Deploy email security tooling capable of blocking PEAR-style post-breach phishing. The university's own warning to watch for phishing impersonating institutional communications is an implicit acknowledgment that student and staff email data is in attacker hands. Deploy advanced email filtering with domain impersonation detection, DMARC enforcement, and link sandboxing — and brief the campus community with specific, concrete phishing examples to watch for.

5. Engage REN-ISAC and higher education sector threat intelligence channels. The Research and Education Networks Information Sharing and Analysis Center (REN-ISAC) provides sector-specific threat intelligence, incident response assistance, and peer coordination specifically for universities. Monmouth's breach details — PEAR's TTPs, IOCs, and initial access vector when confirmed — should be shared through these channels to protect peer institutions.

6. Review cyber insurance coverage against a 16TB exfiltration scenario. University insurance teams should verify current policy coverage for notification costs, credit monitoring for 6,000+ students and employees, regulatory fines, and litigation exposure arising from this scale of data exposure. Many institutional policies were written before double-extortion became the norm and may have coverage gaps for pure-exfiltration ransomware incidents where no encryption event occurred.

Sources

• EdScoop — Ransomware group claims it stole data from Monmouth University