Cyber Incident Victim: Emmanuel College

On or around April 27, 2023, Emmanuel College in Boston experienced a significant network outage that rendered its website and most internet services unavailable. The college publicly acknowledged the disruption via a Twitter post on that date, stating that while most networked systems were down, the RAVE emergency alert system remained functional. The initial communication focused solely on the service interruption and promised to provide updates as more information became available. The following day, April 28, the college posted another update on Twitter thanking the community for their patience and announcing that its Information Technology department had begun the process of restoring services, with a further update promised for later that evening.

Concurrently, the Avos Locker ransomware group claimed responsibility for the attack. The threat actor added Emmanuel College to its data leak site, asserting that they had exfiltrated 140 gigabytes of confidential data pertaining to both students and faculty. Accompanying this claim was a ransom note that attempted to pressure the institution into paying by suggesting that payment would protect the students, contrasting it with the college's action of shutting down domains in response to the incident. The public communications from Emmanuel College during this period did not confirm these claims or reveal that any ransom demands had been received.

As proof of their claims, Avos Locker published a limited number of files. The evidence provided consisted of old employee W-2 forms from the tax years 2014 and 2017. The publication of these documents confirmed that certain historical personnel data had been accessed and acquired by the attackers. The presence of such documents in the wild poses a significant risk of identity-related crimes for the affected individuals, despite the age of the information. Notably, the threat actor did not publicly provide any evidence at that time to substantiate their claims of having stolen current data or any student information, leaving the full scope of the potential data breach unclear based solely on the proof posted.

The primary immediate impact of the incident was a major operational disruption across the college's networked infrastructure. The outage affected the institution's public website and rendered most internal systems that relied on network connectivity unavailable. This would have impacted a wide range of academic and administrative functions, from email communication and access to learning management systems to internal administrative operations. The confirmation that emergency alert systems remained operational was a critical point of communication for ensuring campus safety during the IT outage.

The college's response actions, as publicly communicated, were initially focused on containment and recovery. The first step involved working to restore services and bring systems back online. The public messaging strategy was cautious, initially disclosing only the existence of a network interruption without detailing the malicious cause or the potential compromise of sensitive data. The restoration of services began within a short timeframe, as indicated by the update on April 28th. The incident prompted the involvement of the college's Information Technology department in forensic investigation and recovery efforts to understand the full extent of the breach and to secure the environment. The public claims by Avos Locker indicated that the attack involved data exfiltration prior to the deployment of ransomware or other disruptive mechanisms, a double-extortion tactic commonly employed by modern ransomware groups to increase pressure on victims to pay the demanded ransom. The full consequences regarding the potential exposure of personal information belonging to students, faculty, and staff remained to be fully assessed based on the initial information available.