The college said in a statement Friday that it is working with a cybersecurity forensic firm to determine whether sensitive personal information had been compromised in the ransomware attack that “significantly impacted almost all IT systems on campus.”
Cybersecurity news group The Record reported Friday that cyber crime group Vice Society had claimed credit for the March 3 attack and posted a sampling of documents allegedly stolen from the college, including images of passports and documents that include Social Security numbers.
Ransomware attacks happen when cyber criminals use software to prevent a company or government agency from accessing its computer systems, or threaten to publish personal data unless the agency pays a ransom. The college said in its statement Friday that the cyber criminals claimed to have published personal information on the “dark web,” which is not easily searchable, and that it may take time for the college to investigate the claims.
“To date, we do not have evidence that the information involved in this incident has been used for identity theft or financial fraud,” the school’s statement said. “We are taking this very seriously and using all resources available to conduct a thorough and diligent review of the impacted data.”
The school plans to notify individuals if it discovers personal information has been leaked.
Vice Society has a history of targeting school systems and hospitals, tech publication Wired reports. Last year the group targeted the Los Angeles Unified School District, demanding money in exchange for 500 gigabytes of student data. When the district did not pay up, Vice Society released Social Security numbers, tax information and health details of students, according to Wired.
The Federal Bureau of Investigation issued an alert last September warning that Vice Society was “disproportionately targeting the education sector” with its attacks. A report from cybersecurity group Sophos says that ransomware attacks against colleges and universities have increased in recent years, following a similar trend across all business sectors.
Lewis & Clark has not publicly blamed Vice Society for the attack, though several cybersecurity professionals have posted screenshots of the organization taking responsibility for the breach. On Monday, the college said it was limited in what it could share publicly without impacting the investigation.
The college said in its statement that it decided not to pay the ransom at the advice of law enforcement, but declined Monday to disclose how much money attackers demanded or why law enforcement advised against paying the demand.
“Since the attack, Lewis & Clark’s priorities have been rebuilding our systems to minimize disruptions to the educational progress of our students and protecting the personal data of our community members,” spokesperson Lois Davis said in an email. “We are committed to protecting the safety and personal data of our community members.”
Most of the school’s IT systems are back online following the attack, the school said. The college won’t penalize students who haven’t been able to access their student accounts to make payments, a help website says, and it has extended an employee benefits deadline after the outage impacted its human resources systems.
©2023 Advance Local Media LLC. Distributed by Tribune Content Agency, LLC.
