March 2023 Cyber Attack Information

Dear faculty, staff, and students,

We are writing to provide an update regarding the investigation into the cyberattack.

The compromised data is currently being analyzed by an external firm in an effort to find and identify any protected personal information that may be in it. It appears that the compromised data was retrieved from LC Files, which is the network drive that offices across campus use for storage of documents and other files.

There is no evidence to suggest that data from other systems was compromised beyond LC Files, such as Workday, the system that maintains employee and payroll data; Colleague, our general ledger and student information system; or Nelnet, the tuition payment system. It is encouraging that the investigation to date suggests that data from these major college systems were not compromised.

We are aware that some are experiencing fraudulent use of their personal information, including a number of employees who have reported that tax returns were filed using their social security numbers. These are truly distressing situations. We want to acknowledge the unsettling nature of these events and the major inconvenience of having to spend time trying to remedy them.

Signing up for credit monitoring, identity restoration services, and identity insurance by filling out this form remains the best action you can take to protect yourselves. If you have not done so already, we urge you to sign up for this service, which includes an Experian credit report at signup, active monitoring for indicators of fraud with the three major credit bureaus, and identity restoration services.

If you suspect an identity theft event, Experian’s Identity Restoration team will work with you as part of the services provided. They can assist throughout the fraud resolution process including by providing support to freeze credit files, contacting creditors to dispute charges, close accounts, compile documents, and contact relevant government and law enforcement agencies. Identity insurance is also included with the services and will cover certain costs and unauthorized electronic fund transfers.

Any individual whose private personal information was confirmed to have been acquired during the attack will receive written notification.

We remain committed to the safety and wellbeing of the LC community and will provide further updates as information becomes available.

Sincerely,

The Executive Council

Dear students, staff, and faculty,

A number of questions and concerns regarding the data posted by the cybercriminals who attacked the LC network have surfaced in the last few weeks. New information has been added to the FAQs to help provide additional support to the community: https://www.lclark.edu/news/march-2023/.

It is now clear that some amount of personal information belonging to the members of the LC community is included in the data. The full nature and scope of that data is not yet known and will not be confirmed until the investigation by our external experts is completed.

Our forensic experts are undertaking a process that is methodical and painstaking. It wasn’t until this week that they were able to safely and successfully download the illegally stolen data from the “dark web.” They are currently scanning it for malicious content to ensure it is safe to analyze. The data will then be thoroughly and carefully reviewed, and any person whose protected personal information is found to have been included in the data will receive a formal legal notice. The same services that are being offered to current students and employees will be offered to anyone whose protected private information was compromised in this attack.

While necessary to protect the community, we regret the lengthiness of this process and know it is a source of frustration. It is unsettling to wonder and not know if your personal information has been compromised. That is why we have taken the proactive step of offering complimentary credit monitoring to all current students and employees now, choosing not to wait for the full retrieval and confirmation of data to provide this assistance.

Credit monitoring is the most important step you can take to protect yourself. In addition to monitoring, the services provided include identity restoration support and identity theft insurance for anyone experiencing an incidence of fraud. We urge you to sign up for these services by filling out this short request form. After you submit the form, you will automatically receive an email from the address “IT Enterprise Applications team,” with the subject “Credit Monitoring Request Submitted,” which will include an enrollment code, additional details on services provided, and instructions on how you can activate the services. This automatic email response is not spam.

We are aware that a number of individuals report discovering that their social security numbers have been used to fraudulently file a tax return. We have added information to the FAQ page with a link to information from the IRS about how to handle such a situation.

We are also aware that concerned members of the community have searched the “dark web” and identified data that may now be circulating. Accessing stolen, illegal information from the “dark web” carries risks for those who access and distribute it. It could also facilitate additional criminal and malicious activity targeting our community. It is for these reasons that we are asking you to refrain from accessing or distributing such material.

As always, thank you for your understanding and patience.

Sincerely,

The Executive Council

Dear LC Community,

We recently learned that the cybercriminals responsible for the recent security incident published some amount of Lewis & Clark data on a “dark web” website. We are currently working to retrieve the information and to determine the extent to which it includes any sensitive personal information. Due to how cybercriminals publish data, it may take time to determine the full scope and nature of this data. We will provide formal notification to any individuals whose protected information is found to have been compromised in the course of this investigation, in accordance with all applicable laws, once the investigation is complete.

In the meantime, we are offering free credit monitoring to current students and employees.

If you would like to sign up for credit monitoring services, please fill out this short request form. You will then be provided with an enrollment code and instructions on how you can activate the service.

Below are additional steps you can take to protect your information, irrespective of whether it was compromised in this incident. We encourage you to review and consider whether they are appropriate for you.

Placing a Fraud Alert on Your Credit File

You may place an initial one-year “fraud alert” on your credit files at no charge. A fraud alert tells creditors to contact you personally before they open any new accounts. To place a fraud alert, call any one of the three major credit bureaus at the numbers listed below. As soon as one credit bureau confirms your fraud alert, they will notify the others.

If you are very concerned about becoming a victim of fraud or identity theft, you may also request a “security freeze” be placed on your credit file at no charge. A security freeze prohibits, with certain exceptions, the consumer reporting agencies from releasing your credit report or any information from it without your express authorization. You may place a security freeze on your credit report by contacting all three nationwide credit reporting companies at the numbers below and following the stated directions or by sending a request in writing, by mail, to all three credit reporting companies:

In order to place the security freeze, you’ll need to supply your name, address, date of birth, Social Security number, and other personal information. After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique personal identification number (PIN) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.

Obtaining a Free Credit Report

Under federal law, you are entitled to one free credit report every 12 months from each of the above three major nationwide credit reporting companies. Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com. Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.

Additional Helpful Resources

Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts. You may also file a complaint with the FTC by contacting them on the web at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.

Thank you for your continued patience and understanding. We will continue to share information as we have it.

Sincerely,

The Executive Council

Dear LC Community,

As you are aware, we experienced a cyberattack beginning on March 3 which significantly impacted almost all IT systems on campus. We are now at a point in our response in which we are able to share more information about the nature of the incident.

It is common in such an instance for the attackers to use ransomware, which is a type of malicious software, or malware, to prevent the victim from accessing their computer files, systems, and networks until a ransom is paid. We now know that the attack was perpetrated by a group known for similar attacks against educational institutions.

Following the advice of law enforcement and our external experts, the college has chosen not to pay ransom. Instead, we have worked nonstop to rebuild our IT systems from backups which are regularly retained by the college. At the same time, we have been working with a cybersecurity forensic firm to assess whether and to what extent there has been any compromise of protected or otherwise sensitive data as a result of this incident.

The cybercriminals responsible for the incident now claim to have published a limited amount of Lewis & Clark data on a “dark web” website maintained by the threat actors. Our external cyber forensic firm is helping us to investigate this claim. We are currently working to retrieve the information, at which time we will conduct a thorough review. When cybercriminals publish data of this nature, they do so on portions of the internet that are unindexed, not easily searchable, and only accessible by means of special software, which means that it may take a while to investigate the scope and nature of this claim.

Given that we do not have reliable information about the scope or content of the allegedly published data, there is no action for you to take at this time. In the event we determine that the incident resulted in unauthorized access or acquisition of protected information related to students, faculty, staff, parents, or other friends of the college, we will provide notification to impacted individuals in accordance with state and federal regulations.

To date, we do not have evidence that the information involved in this incident has been used for identity theft or financial fraud. We are taking this very seriously and using all resources available to conduct a thorough and diligent review of the impacted data.

As a reminder, if you receive communications from persons claiming to have your personal information, or which are otherwise suspicious, please do not respond, and immediately report the incident to security@lclark.edu.

Once again, we appreciate your patience during our continued response to the incident.

Sincerely,

The Executive Council