March 2023 Cyber Attack Information

Dear Lewis & Clark Community,

Last week, we shared an update with you regarding the 2023 cyberattack on the college. In that update we shared that the vendor failed to include a unique code in the Breach Notification Letters needed to access complimentary credit monitoring services. These services are being provided for individuals whose Social Security Number was impacted.

As noted in last week’s message, if you received a letter indicating that you are eligible for these services but did not receive a code, the vendor will be sending a replacement letter via U.S. mail with the code included. You will receive it shortly.

If you do not want to wait for the replacement letter, you can access your code by contacting the confidential call center at 1-833-914-4690 (available Monday through Friday, excluding holidays, 5 a.m. to 5 p.m. Pacific time).

We are also aware that, in addition to the missing codes, many addresses included the incorrect city. Addresses were validated for deliverability via a USPS tool that validates street address and zip code. We regret the confusion caused by the incorrect city but it should not impact delivery. The replacement letters will contain the same addresses as the original letters. We chose to expedite the delivery of the unique codes over the time-consuming process of resolving the city errors.

We apologize for these errors and the inconvenience that has resulted. We want to assure you that the errors were not the result of the work of our forensic data investigator. The letters are legitimate and the information in the letters about the data that was accessed is accurate.

We thank you for your patience and, again, offer our sincere regrets about the errors.

From,

The Executive Council

Dear LC Community,

Last week, we shared an update with you regarding the 2023 cyberattack on the college. In that update, we described the process by which Breach Notification Letters would be sent via U.S. Mail to individuals whose personal protected information (PPI) was identified as being included anywhere in the impacted data.

As we noted, letters to individuals whose Social Security Number was impacted included information about precautionary measures recipients can take to protect their personal information, including complimentary credit monitoring services.

A unique code, which should have been included in the letter, is needed to access these complimentary credit monitoring services for individuals whose Social Security Number was impacted. If you have received a letter indicating that you are eligible for these services but did not receive a code in that letter, you will be receiving a second letter with your unique code shortly.

If at any point you have questions, we encourage you to access the confidential call center at 1-833-914-4690 (available Monday through Friday, excluding holidays, 5 a.m. to 5 p.m. Pacific time).

Dear LC Community,

We are reaching out to provide an update regarding the 2023 cyberattack and the college’s response to the cyberattack. As we reach the one-year anniversary of the event, there are some developments to share with you.

Analysis of the Data

Through a thorough investigation by an external cybersecurity forensic firm, we have concluded that the cybercriminals accessed data that was stored on portions of the LC Files servers that are used by Common Services, CAS, and Graduate School departments. There is no evidence that the cybercriminals accessed Colleague, or Workday, or other institutional databases or cloud-based systems, or that they accessed the network drive used by the Law School, which is all good news.

Unfortunately, because the affected servers were within LC Files, the review and analysis of the impacted data was painstaking and time-consuming. LC Files is not a database, it is a storage drive on which departments save documents of all types (i.e., Word documents, PDFs, Excel spreadsheets, etc.). This necessitated a document-by-document review process. That process is now complete.

Breach Notification Letters

Now that the investigation has been completed, the college will send formal notice letters to individuals whose personal protected information (PPI) is included within the data, as required by law. Therefore, if your PPI was identified as being included anywhere in the impacted data, you will soon receive a letter via U.S. Mail informing you of that fact, and telling you what type of data was included (i.e., Social Security number, financial information, health insurance information, etc.). The letters will look much like letters you have likely received on multiple occasions from other organizations that have been attacked by cybercriminals.

What Should I Do If I Get A Letter?

The letter will also include information about precautionary measures you can take to protect your personal information. If your Social Security number was impacted, the letter will provide complimentary credit monitoring services. Those of you who were employees or students of Lewis & Clark last spring were already offered these services, and many of you signed up for them. The college offered and paid for that support in the spring, even though the investigation had not yet been conducted, because we wanted to provide as much support as we could. If you receive a letter now that indicates your Social Security number may have been impacted and had previously signed up for credit monitoring, we recommend that you sign up again using the information in the letter. This will extend your credit monitoring support. If you did not previously sign up for credit monitoring, you should review the information in the letter and consider doing so now.

What Else Has the College Done Since the Cyberattack?

The college has taken numerous steps to harden our information systems since the cyberattack. Although we do not want to publicly discuss all of those measures, some of those steps have included installation of 24/7 end-point monitoring on all LC computers to detect and stop suspicious activity as soon as possible, installation of multi-factor authentication for remote network access, resetting of all LC passwords, as well as other behind-the-scenes measures. We have learned much from the event and will continue to work diligently to protect LC systems and data.

Again, if you receive an official breach notification letter, please review it carefully and consider accessing the credit monitoring (if applicable) and precautionary measures available to you. If you have questions, there will be information in the letter about how to get answers to those questions, including access to a confidential call center at 1-833-914-4690 (available Monday through Friday, excluding holidays, 8 a.m. to 8 p.m. (Eastern time)).

Thank you,

The Executive Council

Dear faculty and staff,

Good afternoon! We are writing to provide three important updates related to cybersecurity and our campus.

The first is an update on the investigation into the March 2023 cyberattack that impacted our campus and many of our community members. Our experts have worked throughout the summer on a comprehensive and thorough review of the materials that were compromised in the attack. At this point, they have reviewed roughly 90 percent of the files. Due to the complex nature of these materials, the process has required significant manual review. There are a number of steps that need to be completed before notifications will be sent to individuals whose protected information was confirmed to have been compromised. We will keep you posted as more information becomes available.

The second update: At the beginning of the summer President Holmes-Sullivan tasked the IT Governance Council with documenting the college’s ongoing efforts to sustain a robust cybersecurity position, with respect to both the management of our IT systems and the actions and responsibilities of all members of the Lewis & Clark community. That report, which includes actions undertaken in the near-term and the medium-term, is now complete. You can access it at the following link using your LC login credentials: https://bit.ly/3P58R1T

Our third update is sharing two of the most broadly relevant near-term measures. This semester you will see new software and updates to existing tools. For example, Google Plus licenses have been deployed to all staff and faculty. This implementation offers advanced security features that work to prevent, detect, and remediate security incidents.

In addition, in order to further secure our network, GlobalProtect, our Virtual Private Network (VPN), now requires the use of Multi-Factor Authentication (MFA). MFA adds an additional layer of authentication to ensure that you are the one that is trying to access your account. Access to VPN with MFA will be provided to community members who need to access network assets remotely.

To gain access to VPN with MFA contact itservice@lclark.edu with your name, LC email, and a description of your reason for needing remote access. Faculty should request access on behalf of their students if remote access is required for their course.

We will continue to add MFA to additional applications moving forward, so be on the lookout for additional communications.

Protecting the data on which our collective work depends is a high priority. The IT Governance Council will continue to develop policies and work with IT staff and consultants to identify and stay ahead of emerging threats. We will also continue to share pertinent information with the LC community with the goal of working together to keep our campus safe and secure.

Sincerely,

IT Governance Council

Members

• Adam Buchwald, Chief Information Officer
• Evette Castillo Clark, Vice President for Student Life and Dean of Students
• Andrea Dooley, Chief Financial Officer, Vice President for Operations
• Lori Friedman, Vice President for Communications
• Scott Fletcher, Dean of the Graduate School
• Jennifer Johnson, Dean, Erskine Wood Sr. Professor of Law, Lewis & Clark Law School
• David Reese, Vice President, General Counsel, Chief of Staff and Board Secretary
• Eric Staab, Vice President for Admissions and Financial Aid
• Bruce Suttmeier, Dean of the College of Arts and Sciences
• Josh Walter, Vice President for Advancement

Staff Support

• Meredith Goddard, Director of Enterprise Applications
• Ann Harris, Information Security Officer

Dear faculty, staff, and students,

We are writing to provide an update regarding the investigation into the cyberattack.

The compromised data is currently being analyzed by an external firm in an effort to find and identify any protected personal information that may be in it. It appears that the compromised data was retrieved from LC Files, which is the network drive that offices across campus use for storage of documents and other files.

There is no evidence to suggest that data from other systems was compromised beyond LC Files, such as Workday, the system that maintains employee and payroll data; Colleague, our general ledger and student information system; or Nelnet, the tuition payment system. It is encouraging that the investigation to date suggests that data from these major college systems were not compromised.

We are aware that some are experiencing fraudulent use of their personal information, including a number of employees who have reported that tax returns were filed using their social security numbers. These are truly distressing situations. We want to acknowledge the unsettling nature of these events and the major inconvenience of having to spend time trying to remedy them.

Signing up for credit monitoring, identity restoration services, and identity insurance by filling out this form remains the best action you can take to protect yourselves. If you have not done so already, we urge you to sign up for this service, which includes an Experian credit report at signup, active monitoring for indicators of fraud with the three major credit bureaus, and identity restoration services.

If you suspect an identity theft event, Experian’s Identity Restoration team will work with you as part of the services provided. They can assist throughout the fraud resolution process including by providing support to freeze credit files, contacting creditors to dispute charges, close accounts, compile documents, and contact relevant government and law enforcement agencies. Identity insurance is also included with the services and will cover certain costs and unauthorized electronic fund transfers.

Any individual whose private personal information was confirmed to have been acquired during the attack will receive written notification.

We remain committed to the safety and wellbeing of the LC community and will provide further updates as information becomes available.

Sincerely,

The Executive Council

Dear students, staff, and faculty,

A number of questions and concerns regarding the data posted by the cybercriminals who attacked the LC network have surfaced in the last few weeks. New information has been added to the FAQs to help provide additional support to the community: https://www.lclark.edu/news/march-2023/.

It is now clear that some amount of personal information belonging to the members of the LC community is included in the data. The full nature and scope of that data is not yet known and will not be confirmed until the investigation by our external experts is completed.

Our forensic experts are undertaking a process that is methodical and painstaking. It wasn’t until this week that they were able to safely and successfully download the illegally stolen data from the “dark web.” They are currently scanning it for malicious content to ensure it is safe to analyze. The data will then be thoroughly and carefully reviewed, and any person whose protected personal information is found to have been included in the data will receive a formal legal notice. The same services that are being offered to current students and employees will be offered to anyone whose protected private information was compromised in this attack.

While necessary to protect the community, we regret the lengthiness of this process and know it is a source of frustration. It is unsettling to wonder and not know if your personal information has been compromised. That is why we have taken the proactive step of offering complimentary credit monitoring to all current students and employees now, choosing not to wait for the full retrieval and confirmation of data to provide this assistance.

Credit monitoring is the most important step you can take to protect yourself. In addition to monitoring, the services provided include identity restoration support and identity theft insurance for anyone experiencing an incidence of fraud. We urge you to sign up for these services by filling out this short request form. After you submit the form, you will automatically receive an email from the address “IT Enterprise Applications team,” with the subject “Credit Monitoring Request Submitted,” which will include an enrollment code, additional details on services provided, and instructions on how you can activate the services. This automatic email response is not spam.

We are aware that a number of individuals report discovering that their social security numbers have been used to fraudulently file a tax return. We have added information to the FAQ page with a link to information from the IRS about how to handle such a situation.

We are also aware that concerned members of the community have searched the “dark web” and identified data that may now be circulating. Accessing stolen, illegal information from the “dark web” carries risks for those who access and distribute it. It could also facilitate additional criminal and malicious activity targeting our community. It is for these reasons that we are asking you to refrain from accessing or distributing such material.

As always, thank you for your understanding and patience.

Sincerely,

The Executive Council

Dear LC Community,

We recently learned that the cybercriminals responsible for the recent security incident published some amount of Lewis & Clark data on a “dark web” website. We are currently working to retrieve the information and to determine the extent to which it includes any sensitive personal information. Due to how cybercriminals publish data, it may take time to determine the full scope and nature of this data. We will provide formal notification to any individuals whose protected information is found to have been compromised in the course of this investigation, in accordance with all applicable laws, once the investigation is complete.

In the meantime, we are offering free credit monitoring to current students and employees.

If you would like to sign up for credit monitoring services, please fill out this short request form. You will then be provided with an enrollment code and instructions on how you can activate the service.

Below are additional steps you can take to protect your information, irrespective of whether it was compromised in this incident. We encourage you to review and consider whether they are appropriate for you.

Placing a Fraud Alert on Your Credit File

You may place an initial one-year “fraud alert” on your credit files at no charge. A fraud alert tells creditors to contact you personally before they open any new accounts. To place a fraud alert, call any one of the three major credit bureaus at the numbers listed below. As soon as one credit bureau confirms your fraud alert, they will notify the others.

If you are very concerned about becoming a victim of fraud or identity theft, you may also request a “security freeze” be placed on your credit file at no charge. A security freeze prohibits, with certain exceptions, the consumer reporting agencies from releasing your credit report or any information from it without your express authorization. You may place a security freeze on your credit report by contacting all three nationwide credit reporting companies at the numbers below and following the stated directions or by sending a request in writing, by mail, to all three credit reporting companies:

In order to place the security freeze, you’ll need to supply your name, address, date of birth, Social Security number, and other personal information. After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique personal identification number (PIN) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.

Obtaining a Free Credit Report

Under federal law, you are entitled to one free credit report every 12 months from each of the above three major nationwide credit reporting companies. Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com. Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.

Additional Helpful Resources

Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts. You may also file a complaint with the FTC by contacting them on the web at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.

Thank you for your continued patience and understanding. We will continue to share information as we have it.

Sincerely,

The Executive Council

Dear LC Community,

As you are aware, we experienced a cyberattack beginning on March 3 which significantly impacted almost all IT systems on campus. We are now at a point in our response in which we are able to share more information about the nature of the incident.

It is common in such an instance for the attackers to use ransomware, which is a type of malicious software, or malware, to prevent the victim from accessing their computer files, systems, and networks until a ransom is paid. We now know that the attack was perpetrated by a group known for similar attacks against educational institutions.

Following the advice of law enforcement and our external experts, the college has chosen not to pay ransom. Instead, we have worked nonstop to rebuild our IT systems from backups which are regularly retained by the college. At the same time, we have been working with a cybersecurity forensic firm to assess whether and to what extent there has been any compromise of protected or otherwise sensitive data as a result of this incident.

The cybercriminals responsible for the incident now claim to have published a limited amount of Lewis & Clark data on a “dark web” website maintained by the threat actors. Our external cyber forensic firm is helping us to investigate this claim. We are currently working to retrieve the information, at which time we will conduct a thorough review. When cybercriminals publish data of this nature, they do so on portions of the internet that are unindexed, not easily searchable, and only accessible by means of special software, which means that it may take a while to investigate the scope and nature of this claim.

Given that we do not have reliable information about the scope or content of the allegedly published data, there is no action for you to take at this time. In the event we determine that the incident resulted in unauthorized access or acquisition of protected information related to students, faculty, staff, parents, or other friends of the college, we will provide notification to impacted individuals in accordance with state and federal regulations.

To date, we do not have evidence that the information involved in this incident has been used for identity theft or financial fraud. We are taking this very seriously and using all resources available to conduct a thorough and diligent review of the impacted data.

As a reminder, if you receive communications from persons claiming to have your personal information, or which are otherwise suspicious, please do not respond, and immediately report the incident to security@lclark.edu.

Once again, we appreciate your patience during our continued response to the incident.

Sincerely,

The Executive Council