Cybercriminals leak sensitive data, LC responds

Concerns grow regarding cybersecurity following Executive Council update, college to send legal notices

Cyber-gang Vice Society claimed responsibility for the ransomware attack against Lewis & Clark, leaking personal data to the dark web. Soon, the college plans to issue formal legal notices to those affected.

On March 3, all three campuses experienced complete network outages that were the result of a widespread cyberattack on the college’s computer systems. The following day, the Executive Council announced they had determined that the network outage plaguing campus was the result of a cyberattack. On March 31, the Executive Council sent an email to the LC community revealing that it was a ransomware attack where hackers encrypted files and demanded that victims pay a sum to have them decrypted. Based on advice from law enforcement and the college’s external experts, the college declined to pay the ransom. 

The update also stated that the cybercriminals uploaded personal information to the dark web. The data leaked includes limited numbers of student passports, academic records, Title IX investigation documents and sensitive employee information for almost every employee on campus. The employment data leaked includes SSNs, dates of birth, addresses, employee numbers and wage information.

To ensure security, the college has offered students, staff and faculty free access to credit monitoring, and LC community members can also place a fraud alert and a security freeze on a credit card file.

On April 3, news articles began circulating claiming that massive amounts of student and employee data had been published online. A day later, the Executive Council responded in an email: “The information reported, some of which has been inaccurate, has understandably caused some heightened concern within our community … there is no evidence that the information involved in this incident has been used for identity theft or financial fraud.” This is no longer the case.

According to a statement sent out by the Executive Council on March 31, “the cybercriminals responsible for the incident now claim to have published a limited amount of Lewis & Clark data on a ‘dark web’ website maintained by the threat actors. Our external cyber forensic firm is helping us to investigate this claim. We are currently working to retrieve the information, at which time we will conduct a thorough review.”

Many people are anticipant for answers as to what information has been exposed. According to Vice President of Communications Lori Friedman, the college is currently working with external experts to tediously analyze all the leaked documents. This process is lengthy and time consuming. 

“Our obligation is really to communicate with people when there is sort of confirmed and complete information and our external experts our going through this very, very carefully and making sure that everything is verified,” said Freidman. “Communication is really best done at the end of the process to anyone, to all of those who had private data compromised as opposed to reaching out person by person which could be unverified and unconfirmed information.” 

On April 3, Political Science Professor John Holzwarth received two alerts indicating that someone had applied for a Zales credit card in his name. 

“I got a message Monday morning from two different agencies… that said there has been a credit inquiry on your account,” Holzwarth said. “I went (online) and … it turns out that somebody applied for a credit card (in my name) at either Zales jewelry store or online.” 

On the LC College Parents and Families Facebook group, there has been growing concern about the impact of the attack. One member anonymously posted that they received a suspicious call with an LC caller ID. Comments to the post claim that other parents and family members of LC students have received similar phone calls from a Portland-area number.

According to the parent, “The caller had a very heavy accent and knew my name, but clearly (had) no sense of time as it was after office hours. When I asked what the call was regarding, he fumbled for a reason and just said my child is fitting in. I said I didn’t have a child and he asked me to confirm my name and I said that wasn’t me. When he hung up I tried to call the number back and it (did not) go through.”

On April 11, over two weeks after the data was published online, the Executive Council publicly acknowledged that personal information had been leaked and used without people’s permission, writing, “It is now clear that some amount of personal information belonging to the members of the LC community is included in the data … We are aware that a number of individuals report discovering that their social security numbers have been used to fraudulently file a tax return.” 

In the April 11 statement acknowledging personal data had been stolen and leaked, the Executive Council said they are moving toward the process of notifying affected community members about their increased risk of identity theft.

“Our forensic experts are undertaking a process that is methodical and painstaking,” the Executive Council wrote. “It wasn’t until this week that they were able to safely and successfully download the illegally stolen data from the ‘dark web.’ They are currently scanning it for malicious content to ensure it is safe to analyze. The data will then be thoroughly and carefully reviewed, and any person whose protected personal information is found to have been included in the data will receive a formal legal notice.”

ASB President Madeleine MacWilliamson has been in contact with administration and members of the Executive Council, but has received very little information about the scope of the cyberattack. 

“I have discussed the cyberattacks with Robin and Evette in our regularly scheduled one-on-ones,” MacWilliamson said via email. “During these meetings, we discussed the lack of communication between the institution and students. We have had several conversations, which have all been somewhat frustrating for both parties. I have pushed for further transparency. To be blunt, I heard unsatisfying answers—but these are still the answers we have for now. The institution wants to provide the most information possible without compromising the investigation and without unnecessarily scaring students.”

According to multiple news sources including Oregon Live and Government Technology, ransomware cybercrime group Vice Society took credit for the attack. Vice Society, who began operating in January 2021, have targeted various institutions, including the San Francisco Bay Area Rapid Transit and Los Angeles Unified School District. In 2022, more than 40 educational organizations, including 15 in the United States, were attacked by Vice Society according to a report published by Palo Alto Networks. In addition, foreign government agencies, hospitals, and other services have had their data compromised by the group.

Vice Society focuses on getting into the victim’s system. According to their website on the dark web, they started as a “group of friends that were interested in pentest.” A “pentest,” better known as penetration testing, is a simulated cyber attack against computer systems to check for exploitable vulnerabilities. It is believed that the group is Russian-speaking, according to Wired magazine.

The ransom demanded of the college is unknown. Ransom letters from Vice Society typically bribe the victim to purchase a unique private key. The criminals also claim they are the only ones who can give the victim a tool to recover encrypted files. 

Efforts to restore the computer system included changing passwords, restoring the PioNet-Guest Network system and providing hotspots around campus. On March 21, another email from the Executive Council was sent out that LC network drives (LC files, H: drive, J: drive) and Moodle were only accessible as “read-only” as well as a “thank you” to over 4,000 students, faculty and staff that changed their passwords. Services that remain unavailable include the VPN (GlobalProtect), Pionet secure wifi network and the WebAdvisor if passwords have not been changed.