Cyber Incident Victim: Chattanooga State Community College

On May 6, 2023, Chattanooga State Community College (ChattState) experienced a significant cyber incident. The college's IT department first detected the event on Saturday, May 6th, prompting an immediate response. The nature of the incident necessitated the proactive shutdown of numerous critical campus IT systems to contain the threat and prevent further damage. This action had an immediate and profound impact on college operations, coinciding with the scheduled start of the summer semester. In response to the ongoing investigation and recovery efforts, Chattanooga State canceled all classes scheduled from May 8th through May 26th. Furthermore, all credit classes scheduled for the summer semester were delayed, significantly disrupting the academic calendar for a substantial portion of the student body and faculty.

The cyber attack rendered a wide array of essential college services completely unavailable. The college officially listed ten specific services that were taken offline and inaccessible. These services included the processing of Student IDs and Parking Passes, Academic Advising, Financial Aid services, student Registration systems, Payment systems, Transcript Requests, Testing services, Career Services, and the Center for Access & Disability Services. The unavailability of these core systems meant that the college staff could not answer questions related to them, as the necessary data and applications were also inaccessible. The widespread system outage forced the college to limit its on-campus presence; only the library, cafeteria, daycare center, and bookstore remained open during this period. The campus was described as relatively empty, with only a handful of students and faculty present.

Chattanooga State initiated a comprehensive response to the incident by engaging with external experts and authorities. The college began actively working with law enforcement agencies and a cyber forensics vendor to investigate the breach. Following the recommendation of law enforcement, the college initially declined to release specific details regarding the precise nature and scope of the incident, citing the ongoing investigation. The recovery effort was a coordinated undertaking involving TBR-The College System of Tennessee, the State of Tennessee Attorney General’s Office, third-party forensics and cyber protection vendors, and other appropriate agencies. The college's public statements apologized for the inconvenience and assured students, faculty, staff, and the community that measures were being taken to protect systems and data to mitigate future incidents. They committed to keeping stakeholders informed as the investigation and recovery progressed and encouraged vigilance regarding personal information protection.

The incident also resulted in the cancellation of non-academic events, including T-CAT National Signing Day and a retirement celebration that had been scheduled for the week following the attack. The only classes that continued to meet were those related to T-CAT and Economic Workforce Development, along with Skillup programs, indicating these systems operated on a separate infrastructure not affected by the main college network outage. The college stated that information regarding refunds for the canceled classes would be provided at a later date. Students expressed frustration and anxiety over the situation, highlighting the practical difficulties caused by the sudden closure. Concerns were raised about missed academic work, unresolved financial aid matters, and the inconvenience for those who had traveled to campus only to find it closed and services unavailable. There was no immediate indication from the college as to when normal operations would resume.

Subsequent investigation into the breach confirmed it was an external system breach, specifically categorized as hacking. The forensic analysis determined that the incident resulted in the acquisition of sensitive personal information. The compromised data included individuals' names or other personal identifiers in combination with their Social Security Numbers. In accordance with data breach notification laws, the college reported that the total number of persons affected by the breach was 1,244, which included two residents of the state of Maine. The date the breach occurred was identified as May 6, 2023, which was the same date it was discovered by the IT department. The college's Chief Information Officer, Brad McCormick, was the official who submitted the breach notification details.

As part of its response to the data compromise, Chattanooga State Community College provided notification and protection services to the affected individuals. The type of notification provided to consumers was written notice. These notifications were sent to affected individuals on June 28, 2023. Furthermore, the college offered identity theft protection services to those whose information was compromised. The service provided was Equifax Credit Watch Gold, and it was offered for a duration of twelve months to help monitor and protect the credit of the impacted individuals. This offering was a direct response to the exposure of highly sensitive Social Security Numbers during the security incident.