State of college ransomware attack remains unclear

By Kendall Polidori and Mari Devereaux

After more than a month since the ransomware attack on Columbia servers, it is still unclear the extent of the damage and what student, faculty or staff information was compromised. (Associated Press)

After weeks of silence from Columbia administrators following a May ransomware attack, students, faculty and staff remain in the dark about where the college stands on potentially paying the ransom and what personal information may be at risk.

Alongside other colleges like the University of California, San Francisco and Michigan State University, Columbia became the victim of a NetWalker ransomware attack in late May.

The University of California, San Francisco negotiated with hackers and recently paid $1.14 million in Bitcoin ransom to protect student, faculty and staff information. But last month Michigan State University announced it would not pay the ransom to prevent the encouragement of future attacks, which resulted in hackers publishing obtained documents in early June.

MSU spokesperson Emily Geurrant said in a Wednesday, July 8 email she cannot confirm if the incidents among the three colleges are linked or connected, but said it is not “uncommon for IT people to connect on these issues.”

Guerrant said MSU’s incident was a ransomware attack and not a data breach.

In a June 6 email statement to the Chronicle, Chief of Staff Laurent Pernot said “some college, employee and student data was accessed by the perpetrators, though the exact nature and extent of that is still being determined.”

It is unclear whether the ransomware attack on Columbia is also technically classified as a data breach, but a June 12 collegewide email also seemed to indicate hackers had at least some personal data: “We plan to notify individuals whose data the investigation determines to have been in the possession of the perpetrators, even if it has not been misused.”

Colin Jennings, a partner at the international law firm Squire Patton Boggs, said the nature of the attack for ransomware depends on what data has been compromised, the sensitivity of it and whether or not there has been removal of data⁠.

Jennings said if an organization is guarded regarding releasing information about a breach or attack, it may be because of the nature of the attack and wanting to “control the narrative.”

According to a 2020 study by Comparitech, a technology research website, 12% of colleges in Illinois, around 31 in total, have had data breaches since 2005. In Chicago alone, there have been 21 breaches in colleges and K-12 schools.

According to a Wednesday, July 8 Emsisoft blog post, so far this year the U.S. has seen an uptick in attacks with “at least five government entities and three universities, including a public research university actively engaged in COVID-19 research” being affected.

The ransomware attack on Columbia took place May 30 at which point the college detected “malicious activity” in its data center. The school said it would provide collegewide announcements and updates on the state of the attack as student, faculty and staff information are at risk, as reported by the Chronicle June 10.

The college said it would install software from CrowdStrike, a cybersecurity firm, to protect against malware on its servers and other network connected computers and advised students, faculty and staff to closely monitor personal financial accounts for “suspicious activity.”

As of publication, three collegewide emails have been sentJune 2June 8 and June 12addressing the initial breach and stating the college is looking into the matter and will update all parties on its findings.

But since then Columbia has not provided updates for students, faculty and staff on whose information may have been compromised or how it is moving forward in protecting the Columbia community’s information.

Shortly after the college was named a victim of the attack, its name was taken off the leak site, which is where victims of ransomware are listed. Brett Callow, a threat analyst for international cybersecurity at Emsisoft, said this is typically a sign the college is either in negotiations with the hackers or has paid the ransom amount requested.

Since the June 12 update, the Chronicle has made repeated requests for interviews and updates on the attack and the ongoing investigation at the college, but has received no response.

Craig Sigele, academic manager for the Communication Department and president of USofCC, the staff union, said the breach has been a big concern for the union and they requested a list of union members whose information may have been compromised—but they have not received anything.

Sigele said it is a sensitive issue but he wishes the college would send a community update. He said the only thing he knows about data breaches comes from reading technology magazines and seeing how other schools are dealing with them.

“[The college] should understand the importance of being transparent and giving out communication,” Sigele said. “They shouldn’t rely on our distraction with [COVID-19] and registration or preparing to return to school, without following up on this issue.”

Sigele said a monthly update on the status of the breach would be helpful, and said it is necessary for the college to routinely remind people to monitor their bank accounts.

“I trust the administration to do what is right in this situation, but it is disconcerting that they are not following up,” Sigele said.

Jennings said if data were actually compromised, then the college has an obligation to disclose the incident under certain federal and state data privacy laws.

In August 2019 Illinois signed into law Senate Bill 1624, which amended the The Personal Information Protection Act, requiring any entity impacted by a data breach to notify the Illinois Attorney General, Kwame Raoul, if it involves more than 500 Illinois residents. The law went into effect January 1 of this year.

According to the amended state law, the notification should be made “in the most expedient time possible and without unreasonable delay.”

The law states that when notifying those affected by a breach—in this case potentially students, faculty and staff at the college—the disclosure must include the personal information breached, toll-free numbers and addresses for consumer reporting agencies and the Federal Trade Commission and a statement that the individuals affected can obtain information from the provided sources about fraud alerts and security freezes.

According to a June 23 email from Melissa Woo, MSU senior vice president for Information Technology and chief information officer, to MSU students, faculty and staff, the university’s IT department successfully recovered all compromised data and contacted anyone who may have been affected by the intrusion to “help provide them with appropriate mitigation measures.”

It is unclear if Columbia has notified individuals affected by the breach and what sources or guidance is being provided to those most impacted.

“The moral issue comes down to, in my mind, to a business judgement on whether or not the university feels that it’s important to provide more information, oftentimes just disclosing the fact of the event and that it happened and there was no loss of data,” Jennings said.

He said the reality is the information compromised from a data breach at a college is the “property of the individual,” including their name, bank account information and social security number.

Jennings said in the case of a ransomware attack, the college is the victim rather than individual students, faculty or staff members.

“You have to find the right balancing act with disclosure, particularly public disclosure, and so I think they are trying to find that balance,” Jennings said.