Cyber Incident Victim: Truman State University

On Friday, April 21, 2023, Truman State University in Kirksville, Missouri, experienced a significant cybersecurity incident described by the university as a "cybersecurity virus attack." The attack prompted the university's Information Technology Services (ITS) department to take the entire campus network offline out of an abundance of caution. This initial action was a defensive measure taken in response to the detection of malware that had been released across the university network. ITS immediately recommended that all Truman-issued computers and workstations be powered down and remain inactive until the event was resolved. Personnel on campus powered down workstations of employees who were not present that day. The specific origin and nature of the malware were not publicly disclosed, and no threat group claimed responsibility for the attack at any point during the public response.

The immediate impact of the network takedown was widespread. Internet access on campus became completely unavailable. In-person classes continued to meet on Monday, April 24, but instructors were unable to utilize any classroom technologies, including projectors, document cameras, or console computers. All online classes for Monday, April 24, and Tuesday, April 25, were canceled. Faculty were instructed to accommodate students with regard to any assignments or projects that were due or had been assigned since the attack began on April 21. University offices remained open, but hourly employees were required to manually track their work hours until network-dependent timekeeping systems could be restored. Essential campus services, including dining halls operated by Sodexo, the Student Recreation Center, the Student Health Center, and University Counseling Services, remained operational for in-person appointments and walk-ins. Pickler Memorial Library stayed open to provide study spaces, but its online databases and catalog were inaccessible, though physical items could still be checked out.

The university established a dedicated Google Sites page to serve as the primary channel for providing regular updates and answering frequently asked questions, as official email communication was not functional. Initial assessments from ITS indicated that only Truman-issued Windows-based devices were at risk from the particular virus. Student and employee personal devices, including those running Mac or Linux operating systems, were deemed not affected, though they could only access the internet using cellular data as the campus Wi-Fi was offline. The university stated it was too early to determine if any data or secure personally identifiable information had been compromised, though it initially believed its enterprise systems like Banner, Blackboard, DegreeWorks, and TruView were not involved.

Recovery efforts began in earnest the following week. On Monday, April 24, ITS completed a preliminary assessment of all primary campus machines at risk. The process of restoring network services involved bringing servers back online only after ITS had cleared them of the malware. To restore Truman-issued Windows devices, ITS staff needed to physically install necessary security software on each machine. Employees were instructed to keep their devices powered off until an ITS staff member had performed this update and were asked to be physically present to facilitate the servicing. Once a device was serviced, the employee could log in. Over the subsequent days, users were prompted to change their passwords as a further security measure.

Significant progress was reported on Tuesday, April 25, when ITS successfully brought network servers back online and restored the university's intranet, a key step toward restoring broader network capabilities. Internet access was restored by 9 a.m. on Wednesday, April 26, with Blackboard and Google Suite services following by noon that same day. Students also regained the ability to print in certain locations. ITS warned that intermittent outages could occur as services were closely monitored. Network drives used for file storage were restored, but as a precautionary measure to ensure no virus was reintroduced, ITS utilized backup files from April 7. Consequently, any files created or saved on network drives (such as the W, Y, and V drives) after that date were permanently lost.

The restoration of services continued in a prioritized manner. Wi-Fi access, described as one of the more time-consuming elements to restore securely, was returned to most of campus on Thursday, April 27, with residence halls coming back online that morning. Users connecting to Wi-Fi were asked to "Accept the Certificate" as a safe and necessary step. Specialized software in computer classrooms for students took longer to reinstate, though instructor consoles had largely been restored. The Student Research Conference was held as scheduled but was made optional for presenters, who were not required to have printed posters and were advised to bring presentations on flash drives.

A major consequence of the data rollback to April 7 was the complete loss of all data saved to the university's web-based survey tool after that date. This resulted in the loss of all votes cast in the Student Government election that was underway during the outage. The university announced the election would be re-run in its entirety from May 1 to May 5, with the same candidates and ballot initiatives.

The most complex restoration effort involved email services. Initially, on Wednesday, April 26, students could send but not receive messages, while employee email remained entirely offline. To expedite the resumption of service, ITS decided to accelerate a previously planned campus-wide transition to Office 365 email, which had been scheduled for later in the summer. This transition did not alter email addresses. By Friday, April 28, email capabilities were fully restored for all current students and employees. However, ITS implemented Google Mail for the remainder of the semester to allow for immediate service resumption and to preserve older messages before the eventual full transition to Office 365 in the coming weeks. Employees accessing their old Outlook inboxes could view messages received before the outage but could not directly reply to or forward them; message text and addresses had to be copied and pasted to begin new email threads.

Throughout the incident, the university provided academic flexibility to mitigate the impact on the end of the semester. Faculty were instructed not to assess penalties for late assignments, missed tests, or other deadlines for any work due between April 21 and the end of the semester. They were also advised they might need to reduce or eliminate assignments and other graded work to meet final grade-submission deadlines. All final exams proceeded as scheduled at their previously announced dates, times, and locations. The university confirmed that employee payroll was processed on time and was not affected by the network outage. The investigation into whether any specific information was compromised continued, with no public conclusion provided in the immediate aftermath of the restoration efforts.