The Institute of Culinary Education this week confirmed it notified 33,342 people of an April 2025 data breach that compromised the following personal info:
- Names
- Social Security numbers
- Dates of birth
- Driver’s license numbers
- US alien registration numbers
Ransomware group Payouts King took credit for the attack in late June, saying it stole 1.5 TB of data. It currently lists the Institute on its data leak site with the status, “leaked”.
The Institute of Culinary Education has not verified Payouts King’s claim. We do not know if the Institute paid a ransom, how much Payouts King demanded, or how attackers breached the school’s network. Comparitech contacted the Institute of Culinary Education for comment and will update this article if it replies.
“Our investigation determined that an unauthorized actor gained access to certain Institute systems and copied files from those systems on or around May 5, 2025,” says the Institute’s notice to victims.
The Institute is offering eligible victims free credit monitoring through Epiq.
Who is Payouts King?
Payouts King is a newer ransomware group that emerged over the summer. The group says it is not ransomware-as-a-service, which means it does not sell its services to affiliates. Instead, it operates independently, launches its own attacks, and collects its own ransoms.
Four out of Payouts King’s 19 total attack claims have been confirmed. The rest have not been publicly acknowledged by the targeted companies. The group’s confirmed attack claims include:
- Gateway Community Services notified 34,498 people of an April 2025 data breach
- Monterey Mushrooms notified 2,324 people of an August 2025 data breach
- Glenwood Management notified 8,146 people of a June 2025 data breach
Ransomware attacks on US education
Comparitech researchers have logged 34 confirmed ransomware attacks on US schools, colleges, and other educational institutions in 2025 to date, compromising 183,754 records. This attack on the Institute of Culinary Education is the third-largest by number of records.
Cherokee County School District stands as the largest such breach. The district notified 46,119 people of a March 2025 data breach claimed by Interlock. Madison Elementary School District 38 comes in second after it notified 35,000 people of an April 2025 breach, also claimed by Interlock.
More recently, Mecklenburg County Public Schools said Qilin breached its systems, locked down computer systems, and stole data.
