Back to Blog
high severity June 15, 2026 · scope unconfirmed

icc.edu Listed by shinyhunters Ransomware Group

Over 28 gigabytes of Illinois Central College data (122,000+ files) was compromised across PeopleSoft Campus Solutions and Human Resources (ICC, SURS pension reporting, Workday costing, and ICCB curriculum systems), including 9,200+ employee payslip PDFs, 500+ SURS payroll files with Social Security numbers, direct deposit records with bank account and routing numbers, student financial aid and grade roster exports, enrollment CSVs with @icc.edu accounts, and Workday salary allocation data spanning 2021 through June 2026. This is a final warning to reach out by 18 June 2026 before we leak alon

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed June 15, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On June 15, 2026, the shinyhunters ransomware group listed Illinois Central College on its leak site, announcing that more than 28 gigabytes of internal files had been exfiltrated from the community college’s systems. The data includes thousands of employee payslips, payroll records containing Social Security numbers, direct deposit banking details, student financial aid information, grade rosters, and enrollment records tied to @icc.edu email accounts. The group gave the college until 18 June 2026 to contact them or face full public release of the material.

Confirmed Details from Reporting

Public reporting indicates the compromised systems include PeopleSoft Campus Solutions, Human Resources modules, SURS pension reporting, Workday costing allocations, and ICCB curriculum databases. Available reporting describes 9,200 employee payslip PDFs, more than 500 SURS payroll files that list Social Security numbers, direct deposit bank account and routing numbers, student financial aid and grade roster exports, and enrollment CSVs. The stolen material spans payroll and academic records from 2021 through June 2026. The number of individuals directly affected remains unknown, but the volume and sensitivity of the files suggest current and former employees, students, and their families could be exposed.

Why This Matters for You and Your Family

If you or anyone in your household attended Illinois Central College, worked there, or received payments through its payroll or pension systems, your personal financial and academic information may now sit on a ransomware leak site. Social Security numbers, bank routing details, salary history, and student records are valuable to identity thieves who can open accounts, file fraudulent tax returns, or sell the information on underground markets. Children listed on family insurance or student accounts can also become targets. Once this type of data leaves institutional control, it can circulate for years, increasing the chance that someone in your family will face account takeovers or fraudulent charges.

The Doxxing and Identity-Chain Risks

Credential leaks like the @icc.edu email addresses in this incident often serve as starting points for larger doxxing chains. Attackers link an institutional email to personal accounts, gaming profiles, or family addresses, then use any exposed passwords or personal details to seize control of those accounts. Public reporting shows that ransomware groups frequently publish samples to pressure victims, after which the full dataset moves to other criminals who automate identity mapping. This creates cascading risks: a stolen college record today can lead to a compromised gaming account tomorrow, especially for households where children use the same email domain or passwords.

Shinyhunters’ Publicly Known Track Record

Public reporting attributes the shinyhunters group with emerging in 2020 and targeting a range of educational institutions, government agencies, and private companies. Notable prior victims have included universities and technology service providers. Their typical playbook involves initial access through compromised credentials or vulnerabilities in web applications, followed by exfiltration of large document repositories, and then extortion via leak sites with countdown deadlines. They often publish sample files and demand direct contact before releasing the full archive, a pattern consistent with the current ICC posting.

What to do

  • Run a DoxxScan to map every link between your handles, emails, phone numbers, and real identity so you can see exactly what chains back to the icc.edu breach.
  • Rotate any password you ever used with an @icc.edu account anywhere else it is reused, and switch to 2FA through an authenticator app rather than text messages.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next leak that touches your family is caught in hours, not months.
  • Cover the household with DoxxScan family protection that extends to dependents and children’s gaming accounts that often chain back to the same addresses or emails.
  • Let remediation specialists handle takedown requests across data brokers and leak sites for you while you focus on securing your own accounts.

The shinyhunters deadline has now passed, and the full 28-gigabyte archive may already be circulating. Quick, concrete steps today can limit how far the exposed information travels. DoxxScan by GalaxyWarden delivers continuous monitoring across 15.4 billion breach records and more than 100 platforms, AI-powered identity-chain mapping that connects scattered online handles to real identities, and hands-on remediation by specialists who manage takedowns for you and your entire household, including children’s gaming accounts that are frequently swept up in these cascades. Start your DoxxScan trial and close the gaps before the next breach compounds this one.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.