College should have shared data breach information sooner, experts say

By Kendall Polidori and Mari Devereaux

Shane Tolentino

Eight days after the school fell victim to an attack by NetWalker, a group of data hackers, Columbia officials sent a collegewide email stating the college is “working diligently around the clock with outside professionals and law enforcement to protect its student community and employees.”

The email said individuals who have been impacted by this breach are currently unknown because the investigation is still underway, and said the college will provide more guidance and notify those affected when more information surfaces.

According to Brett Callow, a threat analyst for international cybersecurity at Emsisoft, establishing what did or did not happen, and what data may have been compromised post-incident is “far from easy and the necessary forensic investigation can take several weeks to complete.”

But Callow said incidents like Columbia’s should be treated as data breaches from the beginning and there should have been appropriate guidance provided immediately to potentially affected parties.

By Callow’s standard, students, faculty and staff should have been notified of the Saturday, May 30 data breach as soon as the college discovered it.

“It’s better for people to take precautions that prove unnecessary than to become the victims of cybercrime,” Callow said.

On Tuesday, June 2 the Information Technology Department sent a collegewide email stating the department detected “malicious activity” in the college’s data center Saturday, May 30. It said the college caught the cyber attack quickly but some Columbia applications were still compromised, resulting in six of them being shut down.

The email did not warn the Columbia community of potential risks or offer advice on steps faculty and staff should take to protect their information.

In an interview with the Chronicle Tuesday, June 2, Associate Vice President and CIO Kathie Koch said from what she knew at the time no information was taken from the college’s servers.

A Thursday, June 4 post in EdScoop, a site that covers educational technology, said hackers threatened to expose Columbia files containing “highly sensitive data like social security numbers and other private information,” on the dark web unless their demands were met.

As reported by the Chronicle Friday, June 5, Chief of Staff Laurent Pernot said, “Some college, employee and student data was accessed by the perpetrators, though the exact nature and extent of that is still being determined.”

Koch has not responded to the Chronicle’s repeated requests for interviews for further information between Friday, June 5 and press time Wednesday, June 10.

Pernot said in a Wednesday, June 10 email statement to the Chronicle that the college plans to update the campus community again this week and will notify those impacted individually.

Joanna Sobran, CEO and president of MXOtech, said it is important to understand the difference between data breaches and ransomware.

She said NetWalker is classified as ransomware, which does not explicitly imply a data breach occurred, but means files are encrypted to deny access unless a ransom is paid.

In the Monday, June 8 collegewide email, the college announced its partnership with CrowdStrike, a cybersecurity firm, and the installation of its Falcon software to college-owned servers and other network connected computers.

The announcement said the software will monitor all systems, and the service “includes alerting, blocking, and containment capabilities against malicious behavior.”

Callow said Emsisoft often recommends organizations completely rebuild their networks as opposed to simply decrypting data or restoring it from backups. He said this is recommended because hacker groups can often leave “backdoors” used to launch a second attack or maintain continuous access to compromised networks.

One of the college’s applications that was down last week was MyColumbia, which contains the personal information of students, faculty and staff, and student employment information.

Jim Droske, president of the consumer credit repair company Illinois Credit Services, said everyone should act and take steps under the assumption their personal information or data is “out there.”

Information such as names, addresses, date of birth, social security numbers, phone numbers, account numbers, passwords, user IDs and bank information could have been part of the breach, as the extent of what was compromised is still not entirely known, Droske said.

Droske said proper steps would include obtaining copies of all three credit reports, which does not affect credit scores, and monitoring credit or new inquiries daily; changing passwords on all accounts and not using the same one twice; using a credit card rather than a debit card; checking statements for unauthorized charges; and treating accounts with money in them as the “highest priority.”

Craig Sigele, academic manager for the Communication Department and president of USofCC, the staff union, said several weeks ago the union heard Columbia might be the victim of a ransomware attack, but he was told by Human Resources they were not aware of any data breaches at the time.

Sigele said the time it took the college to issue a formal response is “concerning” and he would have liked more specific direction on how staff members can protect their social security numbers, bank and routing numbers and whether or not passwords should be changed.

“I don’t think unless the Chronicle had come out with that report about the ransomware that [Columbia] would ever share that information,” Sigele said.

Diana Vallera, president of CFAC, the part-time faculty union, said since the investigation is ongoing, the college has said it cannot give her any additional updates outside of the collegewide emails.

Vallera, also a part-time faculty member in the Photography Department, said she is looking into practices used by other universities dealing with similar issues to avoid future data breaches and thinking about necessary protections for students, staff and faculty whose information may be compromised.

“It certainly makes me question what happened, what kind of security is in place and do we need to allocate more resources going forward,” Vallera said.

St. Louis resident Cindy McReynolds, whose daughter attends Columbia, said when she first heard Columbia was the victim of a ransomware attack, she was empathetic that the college had to deal with the situation on top of the coronavirus and campus damages following citywide riots.

However, McReynolds said after reading the emails from the college and looking at other parents’ concern on Facebook, she decided to change her bank password “just to be safe.”

Droske said everyone should worry about taking steps to be proactive in protecting themselves and their personal information—regardless of a data breach and the extent of information compromised.

“Passwords can be changed; credit can be frozen and monitored,” Droske said. “There are many things consumers should be doing in wake of an imperfect world of technology, and fraudsters are feasting.”

Michael Wozny, director of the Chicago IT support firm MXOtech, said at this point, the college should have informed everyone at the college of the specific nature and extent of the breach, the potential data loss if present, remediation and a prevention plan, and provide dark web scanning for impacted users and credit monitoring.

“Breaches of information should be shared near real time, in order to minimize panic and further potential compromise,” Wozny said.

Droske said to keep in mind that a “very small percentage of data-breached consumers have actual identity theft relative to the number of files that are breached.”

He said there is also no guarantee in tracing the problem back to a specific breach.

“So, which breach is to blame? If someone from [Columbia] gets compromised by identity theft, was it because of the [college’s] breach or were they one of the 146 million consumers compromised in the massive [2017] Equifax Data Breach?” Droske said. “No one will ever know.”