Cyber Incident Victim: Mercyhurst University
Date:
May 2022
Location:
United States of America
Summary
A ransomware attack targeted Mercyhurst University, with the LockBit group claiming responsibility and threatening to release approximately 300 GB of institutional data unless demands were met. The university did not publicly confirm the breach or issue statements through its official channels during the initial incident timeline. LockBit’s dark web listing, which initially set a five-day deadline for data publication, was later removed without explanation, potentially indicating ongoing negotiations or a resolution. The incident occurred shortly after one of the university’s colleges highlighted cybersecurity initiatives at an industry event, though no direct correlation was established. As a private institution, the organization was not subject to Pennsylvania’s state-level restrictions on ransom payments using taxpayer funds.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 17, 2022, the LockBit ransomware group claimed responsibility for an attack on Mercyhurst University, a private institution in Pennsylvania. The threat actors asserted they had exfiltrated 300 GB of data from the university’s systems and threatened to publish "all data" unless their demands were met. They set a deadline of approximately five days from their initial claim for the university to comply before releasing the stolen information. At the time of the initial report, Mercyhurst University had not publicly acknowledged or confirmed any security incident, with no statements appearing on its official website or Twitter account. The absence of confirmation or denial left the validity of LockBit’s claims unverified, as the group had not yet provided proof of the stolen data. The incident gained attention due to its timing, occurring roughly one month after one of the university’s four colleges participated in Cyber Impact 2022, an event highlighting cybersecurity achievements. This juxtaposition raised questions about the institution’s security posture despite recent public recognition of its cyber initiatives.
By May 22, 2022, LockBit’s dark web listing for Mercyhurst University had been removed, suggesting potential negotiations or a ransom payment, though no official explanation was provided. The removal could alternatively have indicated technical delays in the attackers’ data upload process, as the original five-day deadline had elapsed. The incident unfolded against the backdrop of Pennsylvania’s recent legislative action—Senate Bill 726—which prohibited state entities from using taxpayer funds to pay ransoms without gubernatorial approval. As a private institution, Mercyhurst University would not have been subject to this restriction, leaving its response options unaffected by the state policy. The university’s continued silence through the incident timeline left stakeholders without clarity on operational disruptions, data sensitivity, or remediation efforts. No further updates regarding data publication, forensic findings, or recovery actions were disclosed in the available reporting period.