Cyber Incident Victim: Whitworth University
Date:
Jul 2022
Location:
United States of America
Summary
Whitworth University experienced a ransomware attack attributed to the LockBit group, disrupting information systems and causing operational outages including phone lines and website access. The incident, discovered in late July, prompted an ongoing investigation to determine if personal data of students, alumni, employees, or donors was compromised, with commitments to notify affected parties if necessary. Recovery efforts involved collaboration with cybersecurity experts to restore systems and implement enhanced security measures, aiming to resume near-normal operations within weeks. While the university declined to confirm specifics of data exposure or ransom demands, LockBit's involvement aligns with its known tactics of data theft and extortion. Washington state breach notification laws may apply pending investigation outcomes, though the institution emphasized prioritizing security and minimizing risks to stakeholders.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Whitworth University discovered a ransomware infiltration in its information systems on July 29, 2022, described by officials as a "very sophisticated security issue involving our network systems." The incident was attributed to outside actors, though the university did not publicly confirm reports attributing the attack to the LockBit ransomware group. Initial disruptions included inoperable phone lines and website outages, preventing external communications. Roy Berg, a parent, reported inability to pay tuition or contact the university via phone for multiple days starting July 28, while his son experienced email system failures despite confirming his fall class schedule before the attack. University technology teams collaborated with cybersecurity experts to contain the incident, restore systems, and implement new layers of system protections, targeting 95% operational restoration by August 31.
The investigation remained ongoing as of August 19, 2022, with no conclusive determination regarding whether attackers accessed personal data of students, alumni, employees, or donors. University officials committed to notifying affected individuals and providing protective resources if data compromise was confirmed, though no notifications had been issued nearly three weeks post-discovery. This delay drew criticism from community members like Berg, who learned of developments through media rather than direct communication. Washington state law mandates breach notifications within 30 days if data exposure risks harm, requiring disclosure to the Attorney General’s Office for incidents affecting over 500 residents. LockBit, implicated in third-party reports, was noted by cybersecurity firm Digital Shadows as responsible for nearly one-third of ransomware incidents on data leak sites in mid-2022, employing data theft and public victim identification to pressure ransom payments. The attack occurred amid a documented surge in Washington ransomware incidents, rising from seven in 2020 to 150 in 2021.