March 2023 Cyber Attack Information

On March 3, 2023, Lewis & Clark experienced an IT security incident which negatively impacted systems and services across our campuses. Our IT team is working around the clock, alongside a team of external experts, to restore services and advise the college about next steps.

Frequently Asked Questions

The cybercriminals responsible for the recent security incident published some amount of Lewis & Clark data on the “dark web.” We are currently working to retrieve the information and to determine the extent to which it includes any sensitive personal information. Due to how cybercriminals publish data, it may take time to determine the full scope and nature of this data. We will provide formal notification to any individuals whose protected information is found to have been compromised in the course of this investigation, in accordance with all applicable laws, once the investigation is complete.

Although the investigation is still ongoing, we are making credit monitoring services available now to current students and employees, at the college’s expense, out of an abundance of caution.


April 7

Current students and employees who would like to access free credit monitoring should fill out this short request form. You needed to be logged into your lclark.edu Google account to access and complete the form. You will then be provided with an enrollment code and instructions on how you can activate the service.


April 7

Current students and employees who believe there was fraudulent use of their information as a result of this incident should sign up for Experian credit monitoring and other support services as described above. By subscribing to these Experian services, you also receive identity theft restoration support. After subscribing to the service, reach out to an Experian agent to discuss your situation. If, after discussing your situation with an agent, it is determined that identity restoration support is needed, then an Experian Identity Restoration agent is available to work with you to investigate and resolve each incident of fraud that occurred from the date of the incident (including, as appropriate, helping you with contacting credit grantors to dispute charges and close accounts; assisting you in placing a freeze on your credit file with the three major credit bureaus; and assisting you with contacting government agencies to help restore your identity to its proper condition).

Identity Restoration support is available to you for 12 months from the date of your engagement. The Terms and Conditions for this offer are located at www.ExperianIDWorks.com/restoration.

If you have questions about the product, need assistance with Identity Restoration that arose as a result of this incident, or would like an alternative to enrolling in Experian IdentityWorks online, please contact Experian’s customer care team at 1-877-890-9332 by 7/31/2023. Be prepared to provide your engagement number as proof of eligibility for the Identity Restoration services.


April 17

  1. Anybody can place a fraud alert on their credit file.

    You may place an initial one-year “fraud alert” on your credit files at no charge. A fraud alert tells creditors to contact you personally before they open any new accounts. To place a fraud alert, call or visit the website of any one of the three major credit bureaus at the numbers listed below. As soon as one credit bureau confirms your fraud alert, they will notify the others.

 

Equifax

P. O. Box 105788

Atlanta, GA 30348

https://www.equifax.com/personal/credit-report-services/credit-fraud-alerts/

(800) 525-6285

Experian

P. O. Box 9554

Allen, TX 75013

https://www.experian.com/fraud/
center.html

(888) 397-3742

TransUnion

P. O. Box 6790

Fullerton, CA 92834-6790

https://www.transunion.com/fraud-alerts

(800) 680-7289

 

  1. You could also obtain a credit report for review. Under federal law, you are entitled to one free credit report every 12 months from eachof the above three major nationwide credit reporting companies. Call 1-877-322-8228 or request your free credit reports online atwww.annualcreditreport.com. Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.

    Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.

    If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts. You may also file a complaint with the FTC by contacting them on the web atwww.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.

 

  1. If you are very concerned about becoming a victim of fraud or identity theft, you may also request a “security freeze” be placed on your credit file at no charge.

    A security freeze prohibits, with certain exceptions, the consumer reporting agencies from releasing your credit report or any information from it without your express authorization. You may place a security freeze on your credit report by contacting all three nationwide credit reporting companies at the numbers below and following the stated directions or by sending a request in writing, by mail, to all threecredit reporting companies:

Equifax Security Freeze

P.O. Box 105788

Atlanta, GA 30348

https://www.equifax.com/personal/credit-report-services/credit-freeze/

1-800-349-9960

Experian Security Freeze

P.O. Box 9554

Allen, TX 75013

http://experian.com/freeze

1-888-397-3742

TransUnion Security Freeze

P.O. Box 2000

Chester, PA 19016

http://www.transunion.com/securityfreeze

1-888-909-8872

In order to place the security freeze, you’ll need to supply your name, address, date of birth, Social Security number, and other personal information. After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique personal identification number (PIN) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.


April 7

Any former LC student or employee from within the last ten years who has reason to believe that they may have been negatively impacted by this incident can also request free credit monitoring and identity theft restoration services. To access such services, please fill out this short form.


April 18

The Office of Overseas and Off-Campus Programs routinely collects passport information for students participating in study abroad programs. It appears that at least some of this passport information may have been included in data stolen by the cybercriminals. At this point, we do not know the scope of passport information that might be impacted.

If you are a current student and are concerned about the security of your passport data, you should sign up for the credit monitoring services that have been offered.

The U.S. State Department does not recommend reporting your U.S. passport lost or stolen if your passport number was compromised. According to the State Department, you should only report your U.S. passport lost or stolen if the original, physical version of the passport book or passport card has been lost or stolen. Once you report a U.S. passport lost or stolen, it is invalid and cannot be used for international travel.


April 13

If you have not yet changed your password, you will be unable to access any LC system (other than GMail and the Google Workspace).

To change your password, go to the IT Service Desk in Watzek Library or the Law School Help Desk during their normal operating hours. If you are not able to visit the help desk, contact itservice@lclark.edu.

You need to bring your LC ID card when you reset your password. If you do not have your LC ID card, bring a government issued photo ID. It will be helpful if you know your user ID. The new password you choose will need to meet the following requirements:

  • Be between 9 to 19 charactersin length
  • Contain at least 4 letters
  • Contain at least 1 uppercase and 1 lowercase letter
  • Contain at least 1 number
  • Be different than your current password

April 7

We should always keep the following recommendations in mind managing email and spending time online:

  • Do not click on links promising information about a pay bonus, bank account issues, and such. No reputable organization, including LC, will ever ask you to email sensitive information such as a tax return, direct deposit bank account numbers, W2, or SSN.
  • Use apps that you know and trust. Download software only from verified sources such as the App Store or Google Play.
  • Verify that attachments are safe before downloading them. Cybercriminals may ask you to download a virus-containing attachment in order to view an update to an order, claim a prize, or change your payment method.
  • Pause before you open an email. Ask yourself if you were expecting an offer or a notice of a prize gift card, or if you have a package scheduled for delivery that may be delayed?
  • Verify links before clicking. When online shopping, click only on ads or links from a reputable source such as a retailer’s official social media profile.
  • Use official apps from FedEx, USPS, and UPS rather than clicking on links claiming a package is delayed or canceled, particularly if you don’t remember ordering something to be delivered

April 7

If you receive a suspicious message, we recommend the following:

  • If you suspect the message is phishing but want to be sure, reach out directly to the person or organization using saved contact information or information found on a trusted website.
  • If using Gmail in your browser, click on the kebab menu (three vertical dots menu in the upper right corner) and select “Report Phishing”. This will help Google—and therefore LC—identify the offending message for quarantine.
  • Always exercise extreme caution when clicking on links that are hidden in email text. Try to hover over the text and if the full URL is not available, go directly to the website yourself and navigate to where the message is trying to take you.
  • DO NOT give passwords to anyone!  IT will never request this information, nor will the government or any reputable organization, whether it is your bank or your ISP.

April 7

Do not respond to the email, text, or phone call, and immediately report it to security@lclark.edu.


April 7

It is always a good idea to regularly change passwords on all accounts, such as online banking and credit card accounts, and to monitor your accounts for unusual activity. Tips for setting strong passwords include:

  • Use different passwords on different systems and accounts.
  • Don’t use passwords that are based on personal information that can be easily accessed or guessed.
  • Use the longest password or passphrase permissible by each password system.
  • Don’t use words that can be found in any dictionary of any language.
  • Refer to Tips on choosing and protecting passwords for best practices and additional information.

April 7

If you know or suspect that you are a victim of tax-related identity theft, the IRS recommends these actions::

  • Respond immediately to any IRS notice: Call the number provided.
  • If your e-filed return is rejected because of a duplicate filing under your Social Security number, or if the IRS instructs you to do so, complete IRS Form 14039, Identity Theft Affidavit (PDF). Use a fillable form at IRS.gov, print, then attach the form to your return and mail your return according to instructions.
  • Visit IdentityTheft.gov for steps you should take right away to protect yourself and your financial accounts.

More info at the link below

https://www.irs.gov/newsroom/taxpayer-guide-to-identity-theft


April 10

The IRS website provides information on this topic and instructions on steps you can take to address it:


Returning an Erroneous Refund – Paper Check or Direct Deposit


May 3

The Experian Identity Works website contains a wealth of information related to alert notifications, online security, identity theft and other topics, including a comprehensive FAQs page: https://portal.experianidworks.com/c/common-questions


April 27

The Pionet-Guest network does not require login credentials and should be treated like a public wifi network. Best practices while utilizing a public wifi network include ensuring your device settings are up to date and using strong passwords.


April 7

Community Emails

Dear faculty and staff,

Good afternoon! We are writing to provide three important updates related to cybersecurity and our campus.

The first is an update on the investigation into the March 2023 cyberattack that impacted our campus and many of our community members. Our experts have worked throughout the summer on a comprehensive and thorough review of the materials that were compromised in the attack. At this point, they have reviewed roughly 90 percent of the files. Due to the complex nature of these materials, the process has required significant manual review. There are a number of steps that need to be completed before notifications will be sent to individuals whose protected information was confirmed to have been compromised. We will keep you posted as more information becomes available.

The second update: At the beginning of the summer President Holmes-Sullivan tasked the IT Governance Council with documenting the college’s ongoing efforts to sustain a robust cybersecurity position, with respect to both the management of our IT systems and the actions and responsibilities of all members of the Lewis & Clark community. That report, which includes actions undertaken in the near-term and the medium-term, is now complete. You can access it at the following link using your LC login credentials: https://bit.ly/3P58R1T

Our third update is sharing two of the most broadly relevant near-term measures. This semester you will see new software and updates to existing tools. For example, Google Plus licenses have been deployed to all staff and faculty. This implementation offers advanced security features that work to prevent, detect, and remediate security incidents.

In addition, in order to further secure our network, GlobalProtect, our Virtual Private Network (VPN), now requires the use of Multi-Factor Authentication (MFA). MFA adds an additional layer of authentication to ensure that you are the one that is trying to access your account. Access to VPN with MFA will be provided to community members who need to access network assets remotely.

To gain access to VPN with MFA contact itservice@lclark.edu with your name, LC email, and a description of your reason for needing remote access. Faculty should request access on behalf of their students if remote access is required for their course.

We will continue to add MFA to additional applications moving forward, so be on the lookout for additional communications.

Protecting the data on which our collective work depends is a high priority. The IT Governance Council will continue to develop policies and work with IT staff and consultants to identify and stay ahead of emerging threats. We will also continue to share pertinent information with the LC community with the goal of working together to keep our campus safe and secure.

 

Sincerely,

IT Governance Council

 

Members

  • Adam Buchwald, Chief Information Officer
  • Evette Castillo Clark, Vice President for Student Life and Dean of Students
  • Andrea Dooley, Chief Financial Officer, Vice President for Operations
  • Lori Friedman, Vice President for Communications
  • Scott Fletcher, Dean of the Graduate School
  • Jennifer Johnson, Dean, Erskine Wood Sr. Professor of Law, Lewis & Clark Law School
  • David Reese, Vice President, General Counsel, Chief of Staff and Board Secretary
  • Eric Staab, Vice President for Admissions and Financial Aid
  • Bruce Suttmeier, Dean of the College of Arts and Sciences
  • Josh Walter, Vice President for Advancement

 

Staff Support

  • Meredith Goddard, Director of Enterprise Applications
  • Ann Harris, Information Security Officer

Dear faculty, staff, and students,

We are writing to provide an update regarding the investigation into the cyberattack.

The compromised data is currently being analyzed by an external firm in an effort to find and identify any protected personal information that may be in it. It appears that the compromised data was retrieved from LC Files, which is the network drive that offices across campus use for storage of documents and other files.

There is no evidence to suggest that data from other systems was compromised beyond LC Files, such as Workday, the system that maintains employee and payroll data; Colleague, our general ledger and student information system; or Nelnet, the tuition payment system. It is encouraging that the investigation to date suggests that data from these major college systems were not compromised.

We are aware that some are experiencing fraudulent use of their personal information, including a number of employees who have reported that tax returns were filed using their social security numbers. These are truly distressing situations. We want to acknowledge the unsettling nature of these events and the major inconvenience of having to spend time trying to remedy them.

Signing up for credit monitoring, identity restoration services, and identity insurance by filling out this form remains the best action you can take to protect yourselves. If you have not done so already, we urge you to sign up for this service, which includes an Experian credit report at signup, active monitoring for indicators of fraud with the three major credit bureaus, and identity restoration services.

If you suspect an identity theft event, Experian’s Identity Restoration team will work with you as part of the services provided. They can assist throughout the fraud resolution process including by providing support to freeze credit files, contacting creditors to dispute charges, close accounts, compile documents, and contact relevant government and law enforcement agencies. Identity insurance is also included with the services and will cover certain costs and unauthorized electronic fund transfers.

Any individual whose private personal information was confirmed to have been acquired during the attack will receive written notification.

We remain committed to the safety and wellbeing of the LC community and will provide further updates as information becomes available.


Sincerely,

The Executive Council


Dear students, staff, and faculty,

A number of questions and concerns regarding the data posted by the cybercriminals who attacked the LC network have surfaced in the last few weeks. New information has been added to the FAQs to help provide additional support to the community: https://www.lclark.edu/news/march-2023/.

It is now clear that some amount of personal information belonging to the members of the LC community is included in the data. The full nature and scope of that data is not yet known and will not be confirmed until the investigation by our external experts is completed.

Our forensic experts are undertaking a process that is methodical and painstaking. It wasn’t until this week that they were able to safely and successfully download the illegally stolen data from the “dark web.” They are currently scanning it for malicious content to ensure it is safe to analyze. The data will then be thoroughly and carefully reviewed, and any person whose protected personal information is found to have been included in the data will receive a formal legal notice. The same services that are being offered to current students and employees will be offered to anyone whose protected private information was compromised in this attack.

While necessary to protect the community, we regret the lengthiness of this process and know it is a source of frustration. It is unsettling to wonder and not know if your personal information has been compromised. That is why we have taken the proactive step of offering complimentary credit monitoring to all current students and employees now, choosing not to wait for the full retrieval and confirmation of data to provide this assistance.

Credit monitoring is the most important step you can take to protect yourself. In addition to monitoring, the services provided include identity restoration support and identity theft insurance for anyone experiencing an incidence of fraud. We urge you to sign up for these services by filling out this short request form. After you submit the form, you will automatically receive an email from the address “IT Enterprise Applications team,” with the subject “Credit Monitoring Request Submitted,” which will include an enrollment code, additional details on services provided, and instructions on how you can activate the services. This automatic email response is not spam.

We are aware that a number of individuals report discovering that their social security numbers have been used to fraudulently file a tax return. We have added information to the FAQ page with a link to information from the IRS about how to handle such a situation.

We are also aware that concerned members of the community have searched the “dark web” and identified data that may now be circulating. Accessing stolen, illegal information from the “dark web” carries risks for those who access and distribute it. It could also facilitate additional criminal and malicious activity targeting our community. It is for these reasons that we are asking you to refrain from accessing or distributing such material.

As always, thank you for your understanding and patience.

 

Sincerely,

The Executive Council


Dear LC Community,

We recently learned that the cybercriminals responsible for the recent security incident published some amount of Lewis & Clark data on a “dark web” website. We are currently working to retrieve the information and to determine the extent to which it includes any sensitive personal information. Due to how cybercriminals publish data, it may take time to determine the full scope and nature of this data. We will provide formal notification to any individuals whose protected information is found to have been compromised in the course of this investigation, in accordance with all applicable laws, once the investigation is complete.

In the meantime, we are offering free credit monitoring to current students and employees.

If you would like to sign up for credit monitoring services, please fill out this short request form. You will then be provided with an enrollment code and instructions on how you can activate the service.

Below are additional steps you can take to protect your information, irrespective of whether it was compromised in this incident. We encourage you to review and consider whether they are appropriate for you.

Placing a Fraud Alert on Your Credit File

You may place an initial one-year “fraud alert” on your credit files at no charge. A fraud alert tells creditors to contact you personally before they open any new accounts. To place a fraud alert, call any one of the three major credit bureaus at the numbers listed below. As soon as one credit bureau confirms your fraud alert, they will notify the others.

Equifax

P. O. Box 105788

Atlanta, GA 30348

https://www.equifax.com/personal/credit-report-services/credit-fraud-alerts/

(800) 525-6285

Experian

P. O. Box 9554

Allen, TX 75013

https://www.experian.com/fraud/
center.html

(888) 397-3742

TransUnion

P. O. Box 6790

Fullerton, CA 92834-6790

https://www.transunion.com/fraud-alerts

(800) 680-7289

Consider Placing a Security Freeze on Your Credit File.

If you are very concerned about becoming a victim of fraud or identity theft, you may also request a “security freeze” be placed on your credit file at no charge. A security freeze prohibits, with certain exceptions, the consumer reporting agencies from releasing your credit report or any information from it without your express authorization. You may place a security freeze on your credit report by contacting all three nationwide credit reporting companies at the numbers below and following the stated directions or by sending a request in writing, by mail, to all three credit reporting companies:

Equifax Security Freeze

P.O. Box 105788

Atlanta, GA 30348

https://www.equifax.com/personal/credit-report-services/credit-freeze/

1-800-349-9960

Experian Security Freeze

P.O. Box 9554

Allen, TX 75013

http://experian.com/freeze

1-888-397-3742

TransUnion Security Freeze

P.O. Box 2000

Chester, PA 19016

http://www.transunion.com/securityfreeze

1-888-909-8872

In order to place the security freeze, you’ll need to supply your name, address, date of birth, Social Security number, and other personal information. After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique personal identification number (PIN) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.

Obtaining a Free Credit Report

Under federal law, you are entitled to one free credit report every 12 months from each of the above three major nationwide credit reporting companies. Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com. Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.

Additional Helpful Resources

Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts. You may also file a complaint with the FTC by contacting them on the web at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.

Thank you for your continued patience and understanding. We will continue to share information as we have it.

Sincerely,

The Executive Council


Dear LC Community,

As you are aware, we experienced a cyberattack beginning on March 3 which significantly impacted almost all IT systems on campus. We are now at a point in our response in which we are able to share more information about the nature of the incident.

It is common in such an instance for the attackers to use ransomware, which is a type of malicious software, or malware, to prevent the victim from accessing their computer files, systems, and networks until a ransom is paid. We now know that the attack was perpetrated by a group known for similar attacks against educational institutions.

Following the advice of law enforcement and our external experts, the college has chosen not to pay ransom. Instead, we have worked nonstop to rebuild our IT systems from backups which are regularly retained by the college. At the same time, we have been working with a cybersecurity forensic firm to assess whether and to what extent there has been any compromise of protected or otherwise sensitive data as a result of this incident.

The cybercriminals responsible for the incident now claim to have published a limited amount of Lewis & Clark data on a “dark web” website maintained by the threat actors. Our external cyber forensic firm is helping us to investigate this claim. We are currently working to retrieve the information, at which time we will conduct a thorough review. When cybercriminals publish data of this nature, they do so on portions of the internet that are unindexed, not easily searchable, and only accessible by means of special software, which means that it may take a while to investigate the scope and nature of this claim.

Given that we do not have reliable information about the scope or content of the allegedly published data, there is no action for you to take at this time. In the event we determine that the incident resulted in unauthorized access or acquisition of protected information related to students, faculty, staff, parents, or other friends of the college, we will provide notification to impacted individuals in accordance with state and federal regulations.

To date, we do not have evidence that the information involved in this incident has been used for identity theft or financial fraud. We are taking this very seriously and using all resources available to conduct a thorough and diligent review of the impacted data.

As a reminder, if you receive communications from persons claiming to have your personal information, or which are otherwise suspicious, please do not respond, and immediately report the incident to security@lclark.edu.

Once again, we appreciate your patience during our continued response to the incident.

Sincerely,

The Executive Council



Most IT systems have been fully restored since the initial outage.  We will keep you informed of developments as progress is made, and will update this webpage as new information is available. 

This page last updated: 1/20/2024.