March 2023 Cyber Attack Information

Dear faculty and staff,

Good afternoon! We are writing to provide three important updates related to cybersecurity and our campus.

The first is an update on the investigation into the March 2023 cyberattack that impacted our campus and many of our community members. Our experts have worked throughout the summer on a comprehensive and thorough review of the materials that were compromised in the attack. At this point, they have reviewed roughly 90 percent of the files. Due to the complex nature of these materials, the process has required significant manual review. There are a number of steps that need to be completed before notifications will be sent to individuals whose protected information was confirmed to have been compromised. We will keep you posted as more information becomes available.

The second update: At the beginning of the summer President Holmes-Sullivan tasked the IT Governance Council with documenting the college’s ongoing efforts to sustain a robust cybersecurity position, with respect to both the management of our IT systems and the actions and responsibilities of all members of the Lewis & Clark community. That report, which includes actions undertaken in the near-term and the medium-term, is now complete. You can access it at the following link using your LC login credentials: https://bit.ly/3P58R1T

Our third update is sharing two of the most broadly relevant near-term measures. This semester you will see new software and updates to existing tools. For example, Google Plus licenses have been deployed to all staff and faculty. This implementation offers advanced security features that work to prevent, detect, and remediate security incidents.

In addition, in order to further secure our network, GlobalProtect, our Virtual Private Network (VPN), now requires the use of Multi-Factor Authentication (MFA). MFA adds an additional layer of authentication to ensure that you are the one that is trying to access your account. Access to VPN with MFA will be provided to community members who need to access network assets remotely.

To gain access to VPN with MFA contact itservice@lclark.edu with your name, LC email, and a description of your reason for needing remote access. Faculty should request access on behalf of their students if remote access is required for their course.

We will continue to add MFA to additional applications moving forward, so be on the lookout for additional communications.

Protecting the data on which our collective work depends is a high priority. The IT Governance Council will continue to develop policies and work with IT staff and consultants to identify and stay ahead of emerging threats. We will also continue to share pertinent information with the LC community with the goal of working together to keep our campus safe and secure.

Sincerely,

IT Governance Council

Members

• Adam Buchwald, Chief Information Officer
• Evette Castillo Clark, Vice President for Student Life and Dean of Students
• Andrea Dooley, Chief Financial Officer, Vice President for Operations
• Lori Friedman, Vice President for Communications
• Scott Fletcher, Dean of the Graduate School
• Jennifer Johnson, Dean, Erskine Wood Sr. Professor of Law, Lewis & Clark Law School
• David Reese, Vice President, General Counsel, Chief of Staff and Board Secretary
• Eric Staab, Vice President for Admissions and Financial Aid
• Bruce Suttmeier, Dean of the College of Arts and Sciences
• Josh Walter, Vice President for Advancement

Staff Support

• Meredith Goddard, Director of Enterprise Applications
• Ann Harris, Information Security Officer

Dear faculty, staff, and students,

We are writing to provide an update regarding the investigation into the cyberattack.

The compromised data is currently being analyzed by an external firm in an effort to find and identify any protected personal information that may be in it. It appears that the compromised data was retrieved from LC Files, which is the network drive that offices across campus use for storage of documents and other files.

There is no evidence to suggest that data from other systems was compromised beyond LC Files, such as Workday, the system that maintains employee and payroll data; Colleague, our general ledger and student information system; or Nelnet, the tuition payment system. It is encouraging that the investigation to date suggests that data from these major college systems were not compromised.

We are aware that some are experiencing fraudulent use of their personal information, including a number of employees who have reported that tax returns were filed using their social security numbers. These are truly distressing situations. We want to acknowledge the unsettling nature of these events and the major inconvenience of having to spend time trying to remedy them.

Signing up for credit monitoring, identity restoration services, and identity insurance by filling out this form remains the best action you can take to protect yourselves. If you have not done so already, we urge you to sign up for this service, which includes an Experian credit report at signup, active monitoring for indicators of fraud with the three major credit bureaus, and identity restoration services.

If you suspect an identity theft event, Experian’s Identity Restoration team will work with you as part of the services provided. They can assist throughout the fraud resolution process including by providing support to freeze credit files, contacting creditors to dispute charges, close accounts, compile documents, and contact relevant government and law enforcement agencies. Identity insurance is also included with the services and will cover certain costs and unauthorized electronic fund transfers.

Any individual whose private personal information was confirmed to have been acquired during the attack will receive written notification.

We remain committed to the safety and wellbeing of the LC community and will provide further updates as information becomes available.

Sincerely,

The Executive Council

Dear students, staff, and faculty,

A number of questions and concerns regarding the data posted by the cybercriminals who attacked the LC network have surfaced in the last few weeks. New information has been added to the FAQs to help provide additional support to the community: https://www.lclark.edu/news/march-2023/.

It is now clear that some amount of personal information belonging to the members of the LC community is included in the data. The full nature and scope of that data is not yet known and will not be confirmed until the investigation by our external experts is completed.

Our forensic experts are undertaking a process that is methodical and painstaking. It wasn’t until this week that they were able to safely and successfully download the illegally stolen data from the “dark web.” They are currently scanning it for malicious content to ensure it is safe to analyze. The data will then be thoroughly and carefully reviewed, and any person whose protected personal information is found to have been included in the data will receive a formal legal notice. The same services that are being offered to current students and employees will be offered to anyone whose protected private information was compromised in this attack.

While necessary to protect the community, we regret the lengthiness of this process and know it is a source of frustration. It is unsettling to wonder and not know if your personal information has been compromised. That is why we have taken the proactive step of offering complimentary credit monitoring to all current students and employees now, choosing not to wait for the full retrieval and confirmation of data to provide this assistance.

Credit monitoring is the most important step you can take to protect yourself. In addition to monitoring, the services provided include identity restoration support and identity theft insurance for anyone experiencing an incidence of fraud. We urge you to sign up for these services by filling out this short request form. After you submit the form, you will automatically receive an email from the address “IT Enterprise Applications team,” with the subject “Credit Monitoring Request Submitted,” which will include an enrollment code, additional details on services provided, and instructions on how you can activate the services. This automatic email response is not spam.

We are aware that a number of individuals report discovering that their social security numbers have been used to fraudulently file a tax return. We have added information to the FAQ page with a link to information from the IRS about how to handle such a situation.

We are also aware that concerned members of the community have searched the “dark web” and identified data that may now be circulating. Accessing stolen, illegal information from the “dark web” carries risks for those who access and distribute it. It could also facilitate additional criminal and malicious activity targeting our community. It is for these reasons that we are asking you to refrain from accessing or distributing such material.

As always, thank you for your understanding and patience.

Sincerely,

The Executive Council

Dear LC Community,

We recently learned that the cybercriminals responsible for the recent security incident published some amount of Lewis & Clark data on a “dark web” website. We are currently working to retrieve the information and to determine the extent to which it includes any sensitive personal information. Due to how cybercriminals publish data, it may take time to determine the full scope and nature of this data. We will provide formal notification to any individuals whose protected information is found to have been compromised in the course of this investigation, in accordance with all applicable laws, once the investigation is complete.

In the meantime, we are offering free credit monitoring to current students and employees.

If you would like to sign up for credit monitoring services, please fill out this short request form. You will then be provided with an enrollment code and instructions on how you can activate the service.

Below are additional steps you can take to protect your information, irrespective of whether it was compromised in this incident. We encourage you to review and consider whether they are appropriate for you.

Placing a Fraud Alert on Your Credit File

You may place an initial one-year “fraud alert” on your credit files at no charge. A fraud alert tells creditors to contact you personally before they open any new accounts. To place a fraud alert, call any one of the three major credit bureaus at the numbers listed below. As soon as one credit bureau confirms your fraud alert, they will notify the others.

If you are very concerned about becoming a victim of fraud or identity theft, you may also request a “security freeze” be placed on your credit file at no charge. A security freeze prohibits, with certain exceptions, the consumer reporting agencies from releasing your credit report or any information from it without your express authorization. You may place a security freeze on your credit report by contacting all three nationwide credit reporting companies at the numbers below and following the stated directions or by sending a request in writing, by mail, to all three credit reporting companies:

In order to place the security freeze, you’ll need to supply your name, address, date of birth, Social Security number, and other personal information. After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique personal identification number (PIN) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.

Obtaining a Free Credit Report

Under federal law, you are entitled to one free credit report every 12 months from each of the above three major nationwide credit reporting companies. Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com. Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.

Additional Helpful Resources

Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts. You may also file a complaint with the FTC by contacting them on the web at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.

Thank you for your continued patience and understanding. We will continue to share information as we have it.

Sincerely,

The Executive Council

Dear LC Community,

As you are aware, we experienced a cyberattack beginning on March 3 which significantly impacted almost all IT systems on campus. We are now at a point in our response in which we are able to share more information about the nature of the incident.

It is common in such an instance for the attackers to use ransomware, which is a type of malicious software, or malware, to prevent the victim from accessing their computer files, systems, and networks until a ransom is paid. We now know that the attack was perpetrated by a group known for similar attacks against educational institutions.

Following the advice of law enforcement and our external experts, the college has chosen not to pay ransom. Instead, we have worked nonstop to rebuild our IT systems from backups which are regularly retained by the college. At the same time, we have been working with a cybersecurity forensic firm to assess whether and to what extent there has been any compromise of protected or otherwise sensitive data as a result of this incident.

The cybercriminals responsible for the incident now claim to have published a limited amount of Lewis & Clark data on a “dark web” website maintained by the threat actors. Our external cyber forensic firm is helping us to investigate this claim. We are currently working to retrieve the information, at which time we will conduct a thorough review. When cybercriminals publish data of this nature, they do so on portions of the internet that are unindexed, not easily searchable, and only accessible by means of special software, which means that it may take a while to investigate the scope and nature of this claim.

Given that we do not have reliable information about the scope or content of the allegedly published data, there is no action for you to take at this time. In the event we determine that the incident resulted in unauthorized access or acquisition of protected information related to students, faculty, staff, parents, or other friends of the college, we will provide notification to impacted individuals in accordance with state and federal regulations.

To date, we do not have evidence that the information involved in this incident has been used for identity theft or financial fraud. We are taking this very seriously and using all resources available to conduct a thorough and diligent review of the impacted data.

As a reminder, if you receive communications from persons claiming to have your personal information, or which are otherwise suspicious, please do not respond, and immediately report the incident to security@lclark.edu.

Once again, we appreciate your patience during our continued response to the incident.

Sincerely,

The Executive Council