Cyber Incident Victim: Mercer University

On or around May 6, 2023, Chattanooga State Community College discovered a cyber incident, prompting the institution to intentionally shut down its systems over that weekend to mitigate and investigate the intrusion. The attack significantly disrupted the school's operations during a critical period of final exams and commencement ceremonies, forcing the cancellation of all classes on Monday, May 8. The college, which serves more than 11,000 students, experienced widespread outages across most of its student services due to the attack. These affected systems included those necessary for student IDs, parking passes, financial aid, academic advising, course registration, bill payment, transcript requests, testing, and disability services. The disruption also impacted the start of new classes scheduled for that week, with the college being forced to either offer refunds or delay their commencement. Furthermore, a National Signing Day event scheduled for Thursday, May 11, was canceled as a result of the incident. In response, the college engaged law enforcement, The College System of Tennessee, the State of Tennessee Attorney General’s Office, and an unnamed cybersecurity vendor to assist in its response efforts. College President Rebecca Ashford acknowledged the challenging time and stated the college community was rallying and demonstrating resiliency, trust, and care for each other.

Separately, Mercer University in Macon, Georgia, also suffered a cybersecurity incident. The university announced the incident on Tuesday, May 9, stating it had recently detected unauthorized access to its computer network. In response, Mercer University launched an investigation with the assistance of law enforcement and outside legal and technical consultants, though the school did not specify the identities of these outside experts. The investigation determined that, although the university had taken extensive measures to protect the privacy of its information, some data was exfiltrated from its systems without authorization. The stolen sensitive information belonged to students, parents, and employees and included Social Security numbers and driver’s license numbers. The university stated that its investigation found no evidence that personal financial information was removed. Mercer University, which was founded in 1833 and serves more than 9,000 students, declined to comment further on the particulars of the incident. However, a new ransomware gang named Akira added Mercer University to its list of victims during the same week the announcement was made. This gang, which emerged in March 2023, has attacked dozens of businesses and schools and typically demands ransoms ranging from $200,000 to millions of dollars. Akira also offers victims lower ransoms in cases where data theft, rather than system encryption, is the primary component of the attack.

The incidents at both educational institutions occurred during a concentrated period of cyberattacks targeting colleges and universities as the academic year was wrapping up. According to Emsisoft ransomware expert Brett Callow, there had been a definite uptick in ransomware attacks on educational institutions in recent weeks, with at least 35 reported by May 9, 2023. Callow noted that such spikes are not unusual and suggested that exam time might be a strategically advantageous period for threat actors to detonate payloads on already compromised networks, maximizing disruption. The attack on Chattanooga State Community College occurred just eight weeks after Tennessee State University, another public institution in the state, notified its more than 8,000 students that its IT systems had been brought down by a separate ransomware attack. Furthermore, the Akira gang listed another victim, BridgeValley Community & Technical College in West Virginia, the week prior to listing Mercer University, indicating a broader campaign targeting the education sector.

The impact on Chattanooga State was primarily operational, causing immediate and extensive disruption to academic and administrative functions. The deliberate shutdown of systems was a containment measure that, while necessary for investigation and mitigation, prolonged the outage and extended the period of inconvenience and operational hindrance for students, faculty, and staff. The cancellation of classes and a significant event like National Signing Day, along with the delays in starting new courses, directly affected the academic calendar and student activities. The inability to access essential services such as financial aid, academic advising, and registration created significant hurdles for students attempting to conclude their semester and make plans for the future.

For Mercer University, the primary impact was a breach of sensitive personal data. The theft of Social Security numbers and driver’s license numbers for a population that included not only students and employees but also their parents created a substantial risk of identity theft and fraud for the affected individuals. While the university stated that personal financial information was not taken, the types of data confirmed to be stolen are highly valuable for malicious actors and can lead to long-term consequences for the victims. The university’s announcement served as the initial step in notifying those whose information was compromised, though the full scope and number of affected individuals were not disclosed publicly.

The response actions for both incidents followed similar paths in terms of engaging external assistance but differed due to the nature of the attacks. Chattanooga State’s response focused on containment through system isolation and then investigation with the help of multiple state-level government entities and a private cybersecurity firm. This coordinated effort aimed to understand the scope of the intrusion, eradicate the threat, and restore systems safely. The public statements from the college’s president were aimed at maintaining community morale and transparency during the disruptive event.

Mercer University’s response was initially focused on investigation and assessment to determine what, if any, data was accessed and stolen. By engaging law enforcement and external consultants, the university worked to ascertain the facts of the unauthorized access. The confirmation of data exfiltration then triggered the necessary steps associated with a data breach, including public disclosure and presumably the subsequent offering of credit monitoring or identity protection services to the affected parties, though such measures were not explicitly detailed in the initial announcement. The university’s decision to decline further comment on the specifics of the incident is consistent with common practice during an ongoing investigation, particularly one involving law enforcement.

The involvement of the Akira ransomware group in the Mercer University incident provides context for the potential motives and methods behind the attack. The group’s modus operandi, which includes both data encryption and data theft, suggests a double-extortion strategy where victims are pressured to pay a ransom to prevent the public release of stolen data as well as to receive a decryption key. The gang’s policy of offering a lower ransom if only data theft occurred indicates a flexible approach to extortion based on the outcomes of their intrusion. The fact that Mercer University did not publicly characterize its event as a ransomware attack, focusing instead on the unauthorized access and data theft, leaves the full nature of the incident not entirely clear from public reporting. However, its appearance on Akira’s victim list strongly suggests a ransomware-associated breach.

These incidents highlight the ongoing vulnerabilities within the education sector, which often manages significant amounts of sensitive personal data alongside critical operational systems that are essential for daily academic functions. The timing of these attacks at the end of the school year appears to be a deliberate tactic to increase leverage against the institutions by maximizing disruption during a pivotal time for students and faculty. The response from both institutions demonstrates the standard protocol of involving external experts and law enforcement to manage the technical and legal complexities of a cyber incident. The outcomes for Chattanooga State were immediate operational paralysis, while for Mercer University the consequences involved the long-term risks associated with a data breach for its community members.