BREAKING: Columbia student information at risk in ransomware attack

By Kendall Polidori and Mari Devereaux

Shane Tolentino

Updated Saturday, June 6 at 9 a.m. with information from Chief of Staff Laurent Pernot. 

Columbia is the latest victim in an attack by a group of data hackers known as NetWalker that is threatening to publish students’ private data and sell their personal information on the dark web.

NetWalker is a “family” of ransomware, which is malware that encrypts files and blocks a person or company from accessing their own data. The hackers behind the attacks often threaten to publish victims’ sensitive information unless a ransom is paid.

Reports by Bloomberg and Inside Higher Ed this week revealed that Columbia, along with Michigan State University and the University of California, San Francisco, have all been targeted and given a deadline of six days to pay the ransom.

According to a Thursday, June 4 post in EdScoop, a site that covers educational technology, hackers threatened to expose files containing “highly sensitive data like social security numbers and other private information,” on the dark web unless their demands were met.

This breach appears to pose a threat to expose student and faculty information, which is contradictory to what the college said earlier this week, stating that to the best of the school’s knowledge, “no information was taken from the college’s servers,” as reported by the Chronicle Tuesday, June 2.

Kathie Koch, associate vice president and CIO, was not available for comment as of press time.

In a Friday, June 5 email statement to the Chronicle, Chief of Staff Laurent Pernot said the breach was detected by IT systems and was contained to a limited number of college servers. He said steps were taken to prevent further breaches and “most critical internal systems have been restored.

“Some college, employee and student data was accessed by the perpetrators, though the exact nature and extent of that is still being determined,” Pernot said.

He said the hackers responsible for the breach are threatening to release information on the Internet unless certain financial demands are met. The college is working with expert investigators who specialize in handling such situations, he said.

Late afternoon Friday, June 5, the Chicago Police Department said no formal reports were made in regards to ransomware attacks at Columbia, but Pernot said law enforcement has been notified as of Friday night.

Many hackers have been taking advantage of the coronavirus pandemic to disseminate new varieties of ransomware, according to Cynet, a cyber-security company.

2019 report by Emisoft, a cyber research firm, found that last year operations at 1,233 schools across the U.S. were impacted in some way by ransomware attacks. In some cases these hacks, which have reached an “extreme level” of threat, meant thousands of server and device shutdowns and lost grades.

“Contact has been established with those responsible for the ransomware and Columbia intends to keep communication channels open. We intend to communicate with impacted members of our community as soon as we are able,” Pernot said. “The full scope of the data breach is still being assessed. This is a highly sensitive and fluid situation, and we will communicate further as we are able to.”

Updated Saturday, June 6 at 12:22 p.m. with information from Brett Callow, a threat analyst at Emisoft. 

Brett Callow, a threat analyst for international cyber security at Emisoft, said this incident has the potential to impact past and present students and faculty, as well as donors and suppliers. He said their information could be stolen, traded, sold and used for identity theft, spear phishing and business email compromise scams, among other variations of fraudulent activity.

“Ransomware incidents should be treated as data breaches from the outset and potentially affected parties [should be] notified immediately so they can take steps to prevent themselves [from] becoming the victims of crime,” Callow said.

Callow said Columbia is no longer listed on the site that originally posted about the school’s leaked information, along with University of California San Francisco, which could mean that both schools already paid the ransom.

However even after paying, he said the college would only receive “a pinky promise” that the stolen data will be returned and not misused, which is not worth much when made by a criminal enterprise.

It is estimated that around one-third of organizations pay the ransom, Callow said, and many ransomware attacks are successful in some capacity because best practices such as using multi-factor authentication, patching systems promptly, and limiting administrator rights were not followed.

Callow said the only way to stop ransomware groups from becoming “apex predators” and upgrading their operations, is for institutions to stop paying the ransom, effectively cutting off the flow of cash.

“If this does not happen, attacks will continue and become ever more sophisticated and hard to defend against,” he said.

Updated Monday, June 8 at 9:30 p.m. after a collegewide email from Columbia.

In a Monday, June 8 collegewide email, the college said it will provide more guidance and notify impacted individuals when more information is available. The college said it remains “dedicated to ensuring the security of the information in its control and is taking steps to prevent similar incidents from occurring in the future.”

To do so, the college has partnered with the cybersecurity firm CrowdStrike for further protection. The college installed CrowdStrike Falcon, a software which allows for monitoring systems and includes alerting, blocking and containment against “malicious behavior,” according to the email.

“As a precautionary measure, until we know more about who was and was not impacted, everyone should closely monitor their personal financial accounts for any suspicious activity,” the email said.

More updates to come.