Whitworth University has informed the state attorney general’s office that a data breach this summer was a ransomware attack that may have affected thousands of former and current students and staff.
The notification was made in a letter dated Oct. 4 from the law firm Wilson Elser based in New York City. In the letter, the private university acknowledges for the first time publicly the data breach that occurred July 29 was a ransomware attack, a growing field of cybercrime in which hackers seize control of data and demand payment for its release. Under state law, a data breach affecting more than 500 residents of Washington must be reported to the Washington Attorney General.
Whitworth said the breach may have affected 5,182 residents of Washington state. It’s unclear how many more out-of-state residents employed or attending the school could be affected, because the university first reviewed its records to find Washington residents affected to meet a legal deadline of 30 days for notification, said Trisha Coder, media relations manager for the university.
Coder also said she couldn’t disclose whether the university paid a ransom, citing an ongoing criminal investigation.
“Multiple unauthorized actors infiltrated our network,” the October letter states.
Those actors may have accessed names, student identification numbers, state identification numbers, passport numbers, Social Security numbers and health insurance information, according to the letter.
University officials determined that hackers were not able to access a system that holds the most sensitive information, Coder said.
“That was a very, very fortunate thing,” she said.
The school has since employed “third-party forensic specialists” to help bolster its security, and “wiped and rebuilt affected systems” after discovering the attack, according to the letter.
Whitworth is unaware of any data being “misused and has not received any reports of related identity theft since the date of the incident,” the letter reads. In addition, the university is providing free credit monitoring and identity theft protection through the consumer protection firm IDX. Potentially affected students and staff will be receiving notification of the service in the mail and have until Jan. 3 to apply, according to samples of the letter provided to the attorney general’s office.
The university also notified law enforcement.
The FBI, which is in the midst of observing cybersecurity awareness month, said the best way to stop a ransomware attack is to avoid unknown attachments and files and create secure backups. The agency asks that ransomware victims not pay the ransom, because there’s no guarantee the victim will get the data back and it could encourage further criminal activity.
Whitworth’s letter does not identify any group or entity the university believes responsible for the data breach. Industry watchers linked the attack to a group called LockBit, which has been identified as a growing international security threat in recent years. LockBit was behind an alleged attack of the Ireland-based IT firm Accenture in August 2021, when hackers demanded $50 million in payment for the release of stolen information.