[BreachExchange] College should have shared data breach information sooner, experts say

Destry Winant destry at riskbasedsecurity.com
Tue Jun 16 10:22:22 EDT 2020


Eight days after the school fell victim to an attack by NetWalker, a
group of data hackers, Columbia officials sent a collegewide email
stating the college is “working diligently around the clock with
outside professionals and law enforcement to protect its student
community and employees.”

The email said individuals who have been impacted by this breach are
currently unknown because the investigation is still underway, and
said the college will provide more guidance and notify those affected
when more information surfaces.

According to Brett Callow, a threat analyst for international
cybersecurity at Emsisoft, establishing what did or did not happen,
and what data may have been compromised post-incident is “far from
easy and the necessary forensic investigation can take several weeks
to complete.”

But Callow said incidents like Columbia’s should be treated as data
breaches from the beginning and there should have been appropriate
guidance provided immediately to potentially affected parties.

By Callow’s standard, students, faculty and staff should have been
notified of the Saturday, May 30 data breach as soon as the college
discovered it.

“It’s better for people to take precautions that prove unnecessary
than to become the victims of cybercrime,” Callow said.

On Tuesday, June 2 the Information Technology Department sent a
collegewide email stating the department detected “malicious activity”
in the college’s data center Saturday, May 30. It said the college
caught the cyber attack quickly but some Columbia applications were
still compromised, resulting in six of them being shut down.

The email did not warn the Columbia community of potential risks or
offer advice on steps faculty and staff should take to protect their

In an interview with the Chronicle Tuesday, June 2, Associate Vice
President and CIO Kathie Koch said from what she knew at the time no
information was taken from the college’s servers.

A Thursday, June 4 post in EdScoop, a site that covers educational
technology, said hackers threatened to expose Columbia files
containing “highly sensitive data like social security numbers and
other private information,” on the dark web unless their demands were

As reported by the Chronicle Friday, June 5, Chief of Staff Laurent
Pernot said, “Some college, employee and student data was accessed by
the perpetrators, though the exact nature and extent of that is still
being determined.”

Koch has not responded to the Chronicle’s repeated requests for
interviews for further information between Friday, June 5 and press
time Wednesday, June 10.

Pernot said in a Wednesday, June 10 email statement to the Chronicle
that the college plans to update the campus community again this week
and will notify those impacted individually.

Joanna Sobran, CEO and president of MXOtech, said it is important to
understand the difference between data breaches and ransomware.

She said NetWalker is classified as ransomware, which does not
explicitly imply a data breach occurred, but means files are encrypted
to deny access unless a ransom is paid.

In the Monday, June 8 collegewide email, the college announced its
partnership with CrowdStrike, a cybersecurity firm, and the
installation of its Falcon software to college-owned servers and other
network connected computers.

The announcement said the software will monitor all systems, and the
service “includes alerting, blocking, and containment capabilities
against malicious behavior.”

Callow said Emsisoft often recommends organizations completely rebuild
their networks as opposed to simply decrypting data or restoring it
from backups. He said this is recommended because hacker groups can
often leave “backdoors” used to launch a second attack or maintain
continuous access to compromised networks.

One of the college’s applications that was down last week was
MyColumbia, which contains the personal information of students,
faculty and staff, and student employment information.

Jim Droske, president of the consumer credit repair company Illinois
Credit Services, said everyone should act and take steps under the
assumption their personal information or data is “out there.”

Information such as names, addresses, date of birth, social security
numbers, phone numbers, account numbers, passwords, user IDs and bank
information could have been part of the breach, as the extent of what
was compromised is still not entirely known, Droske said.

Droske said proper steps would include obtaining copies of all three
credit reports, which does not affect credit scores, and monitoring
credit or new inquiries daily; changing passwords on all accounts and
not using the same one twice; using a credit card rather than a debit
card; checking statements for unauthorized charges; and treating
accounts with money in them as the “highest priority.”

Craig Sigele, academic manager for the Communication Department and
president of USofCC, the staff union, said several weeks ago the union
heard Columbia might be the victim of a ransomware attack, but he was
told by Human Resources they were not aware of any data breaches at
the time.

Sigele said the time it took the college to issue a formal response is
“concerning” and he would have liked more specific direction on how
staff members can protect their social security numbers, bank and
routing numbers and whether or not passwords should be changed.

“I don’t think unless the Chronicle had come out with that report
about the ransomware that [Columbia] would ever share that
information,” Sigele said.

Diana Vallera, president of CFAC, the part-time faculty union, said
since the investigation is ongoing, the college has said it cannot
give her any additional updates outside of the collegewide emails.

Vallera, also a part-time faculty member in the Photography
Department, said she is looking into practices used by other
universities dealing with similar issues to avoid future data breaches
and thinking about necessary protections for students, staff and
faculty whose information may be compromised.

“It certainly makes me question what happened, what kind of security
is in place and do we need to allocate more resources going forward,”
Vallera said.

St. Louis resident Cindy McReynolds, whose daughter attends Columbia,
said when she first heard Columbia was the victim of a ransomware
attack, she was empathetic that the college had to deal with the
situation on top of the coronavirus and campus damages following
citywide riots.

However, McReynolds said after reading the emails from the college and
looking at other parents’ concern on Facebook, she decided to change
her bank password “just to be safe.”

Droske said everyone should worry about taking steps to be proactive
in protecting themselves and their personal information—regardless of
a data breach and the extent of information compromised.

“Passwords can be changed; credit can be frozen and monitored,” Droske
said. “There are many things consumers should be doing in wake of an
imperfect world of technology, and fraudsters are feasting.”

Michael Wozny, director of the Chicago IT support firm MXOtech, said
at this point, the college should have informed everyone at the
college of the specific nature and extent of the breach, the potential
data loss if present, remediation and a prevention plan, and provide
dark web scanning for impacted users and credit monitoring.

“Breaches of information should be shared near real time, in order to
minimize panic and further potential compromise,” Wozny said.

Droske said to keep in mind that a “very small percentage of
data-breached consumers have actual identity theft relative to the
number of files that are breached.”

He said there is also no guarantee in tracing the problem back to a
specific breach.

“So, which breach is to blame? If someone from [Columbia] gets
compromised by identity theft, was it because of the [college’s]
breach or were they one of the 146 million consumers compromised in
the massive [2017] Equifax Data Breach?” Droske said. “No one will
ever know.”

More information about the BreachExchange mailing list