Cyber Incident Victim: Lewis & Clark
Date:
Mar 2023
Location:
United States of America
Summary
Lewis & Clark experienced a ransomware attack by a group targeting educational institutions, leading to unauthorized access and theft of data stored on LC Files, including sensitive personal information such as passport details and social security numbers. The attackers published portions of stolen data on the dark web, prompting the institution to engage external forensic experts to assess the breach and restore systems from backups without paying the ransom. While core systems like Workday, Colleague, and Nelnet remained uncompromised, some employees reported fraudulent tax filings using their SSNs. The college proactively offered credit monitoring and identity restoration services to current and former community members while implementing enhanced security measures, including multi-factor authentication for VPN access. Forensic analysis to determine the full scope of impacted data remained ongoing.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 3, 2023, Lewis & Clark experienced a ransomware attack that disrupted IT systems across its campuses. The college engaged external cybersecurity experts and initiated recovery efforts using existing backups, declining to pay the ransom per law enforcement advice. Attackers later published stolen data on a dark web site, prompting the college to retrieve and analyze this information through forensic specialists. Initial investigations indicated the breach primarily affected LC Files, a network drive used for departmental document storage, with no evidence of compromise to critical systems like Workday (employee/payroll), Colleague (student information/financial), or Nelnet (tuition payments). The ransomware group responsible was noted for targeting educational institutions, though not specifically named in communications. By September 18, 2023, most systems had been restored, though the secure Pionet WiFi network remained offline, requiring alternative access via the unsecured Pionet-Guest network.
The breach exposed personal information, including passport data from students in overseas programs and files containing sensitive details like Social Security numbers. Multiple employees reported fraudulent tax filings using their stolen identities. Forensic analysis, manually reviewing approximately 90% of compromised files by late 2023, confirmed data theft but had not yet finalized individual notifications. Lewis & Clark proactively offered 12 months of Experian credit monitoring, identity restoration services, and identity theft insurance to all current students and employees, later extending eligibility to former students and staff from the previous decade. Response measures included mandatory password resets with enhanced complexity requirements, multi-factor authentication (MFA) implementation for VPN access, and deployment of Google Plus licenses with advanced security features. The IT Governance Council issued a report outlining near-term cybersecurity enhancements, while ongoing communications advised affected individuals to place fraud alerts, review credit reports, and report phishing attempts to [email protected].