Back to news
Cybersecurity Alert
July 13, 2026 by EmailMeNow IT Consulting

Was University of St. Thomas–Houston Breached? We Scanned Their Domain Security

University of St. Thomas–Houston reported a Texas OAG breach on May 28, 2026 affecting 24,158 Texans after July–August 2025 unauthorized access. Audits score stthom.edu at 69% — above peers, still below the 100% ideal.

Source: Texas OAG · University of St. Thomas · Maine AG

NewsData BreachTexasHigher EducationCybersecurity
University of St. Thomas Houston campus data breach cybersecurity illustration

Yes — the University of St. Thomas–Houston (USTH) disclosed unauthorized network access and reported 24,158 Texans on the Texas OAG list published May 28, 2026. This filing sits in our May 28 Texas OAG roundup.

Per the university’s cybersecurity awareness notice, suspicious activity was identified around August 12, 2025. Investigation found unauthorized access between July 25 and August 12, 2025, with files accessed and/or acquired. Public reporting links the incident to an INC Ransom dark-web claim (~1.8 TB). Consumer letters began about May 26, 2026, with 12 months of Experian IdentityWorks offered.

We audited stthom.edu on July 13, 2026 against the 100% ideal.

Breach Impact

FieldDetail
EntityUniversity of St. Thomas – Houston
SectorPrivate Catholic university
Intrusion windowJul 25 – Aug 12, 2025
Texans (OAG)24,158
Data typesNames; address; SSN; DL/gov ID; financial; medical; health insurance; DOB
Notice methodsPrint media; website; U.S. Mail
MonitoringExperian (12 months)

Illustration: private university network intrusion exposing student and employee PII and health data

Independent Cybersecurity Audit

DomainOverallIdentityTransportWebsitevs 100% ideal
stthom.edu69%65%45%70%Above Average — still short of ideal

Key findings: Among Texas privates we scanned, St. Thomas leads Rice/SMU (44%) on overall score, yet 69% ≠ 100%. Transport at 45% is better than the common 15% campus floor but still invites post-breach spoofed Experian-enrollment phishing if DMARC is not at reject.

Illustration: stthom.edu audit scorecard at 69% overall versus 100% ideal

Audit: stthom.edu

Website stack note

  • St. Thomas – Houston (stthom.edu): WordPress behind current (running 6.9.4; latest 7.0.1)

Priority Actions

Affected individuals: Use only the Experian enrollment path printed in your letter. Call the university’s published incident line for questions — not numbers from unexpected email.

Campus IT: Push identity from 65% → DMARC reject; finish MTA-STS enforce; treat advancement and alumni mail as high-risk spoof targets after PHI/SSN exposure.


audit.emailmenow.com · Contact

Sources: USTH notice · Texas OAG · Maine AG filing