A ransomware attack has crippled Whitworth University's computer network and left students scrambling to make plans and find information for the coming school year.
On July 29, the school's website went down. So did the entire campus network. Two weeks later, with the website still on the fritz, the school directed students to a barebones, temporary website for contact details and other essential information.
The removal of Whitworth’s name from LockBit’s page could indicate a completed ransom payment, but it could also be temporary, as LockBit sometimes removes the names of organizations from their website during negotiations.
Organizations are often hesitant to talk publicly about cyberattacks because of concerns about damage to their reputation, or signaling vulnerabilities to other hackers. Washington law requires businesses, individuals and public agencies to notify people within 30 days if they are at risk of harm because their personal information was compromised in a data breach. In March, after Russian cyberattacks escalated in response to sanctions, President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires organizations working in critical industry sectors like energy and healthcare to report cyberattacks within 72 hours. The law doesn’t apply to universities.
To pay or not to pay is a perennial question in the world of cybersecurity. The FBI — concerned about emboldening criminals — discourages organizations from negotiating with hackers and paying ransoms. But Stu Steiner, an assistant professor of cybersecurity at Eastern Washington University, says it usually happens anyway.
“To be God-honest truthful, most companies in the U.S. just pay,” Steiner says.
Victoria Schauer, a senior at Whitworth, tells the Inlander that she hasn’t been able to access her class schedule, financial aid information or her school email account. It’s been stressful. This fall is supposed to be Schauer’s final quarter at Whitworth, and she worries about finalizing the classes she’ll be taking.
“We only have a couple of weeks until our classes start up again, and there’s absolutely no way for us to get any information on our semester,” Schauer says.
Schauer says she’s frustrated by a lack of communication from Whitworth. In the two-and-a-half weeks since the attack, the school has made three Facebook posts about their computer network, none of which directly mention the hack:
- July 29: “The campus network is currently down, which includes the Whitworth website. We will keep you posted when it has been restored.”
- Aug. 1: “We are continuing to work to restore our systems, including the Whitworth website. We appreciate your patience and will continue to keep you updated”
- Aug. 13: “While we continue to work to restore our systems, a temporary website is available at www.whitworth.edu with key contact information and resources”
“It’s hard for people — especially people that are planners and like to understand and have a plan for what’s going on, like myself,” Schauer says.
Michael Gamlem III graduated from Whitworth in 2019, but he worries the school might still have his personal financial data on file. He wishes the school would tell people what exactly the hackers took so they know if they need to take action to protect their accounts.
"Obviously, it's easier to catch those things if you know about them beforehand," Gamlem says.
Madison Gotthardt, a senior, says she, too, is concerned about the lack of information. There’s a lot of uncertainty and rumors flying around, Gotthardt says. She’s been emailing professors to try to change one of the classes on her schedule because she can’t change it through the website. The situation has been especially stressful for incoming students who are still figuring out how to navigate classes, dorms and other aspects of college life, Gotthardt says.
“It would be very stressful to be in the dark about all that,” she says.
Both Gotthardt and Schauer say they understand that the attack has left Whitworth officials in a difficult and sensitive situation. Still, they wish the school was being more transparent about what’s going on. Not being able to check your class schedule or email is one thing, but the potential release of personal information is even more worrying. It’s still unclear what exactly the hackers have, but 715 gigabytes is a lot of data for a small private university. In attacks where personal data is obtained, there are concerns about the release of student names and financial information, including social security numbers.
“I think that’s a huge concern,” Schauer says.
A GROWING THREAT
Steiner says 2020 saw a huge increase in the number of cyberattacks on American universities, though many of those attacks were driven by the theft of intellectual property related to COVID-19 research. As the pandemic has subsided, hackers are continuing to target universities and pivoting towards other types of data that can be stolen, held for ransom, and, in some cases, sold on the dark web.
“They’ve realized that universities are a ripe target,” Steiner says.
It’s still unclear exactly how hackers were able to infiltrate Whitworth’s network, but Steiner says it was almost certainly a phishing attack, which generally involves a fraudulent email directing the recipient to download something or enter their password info. Most universities actually have pretty good defenses in the form of multilayered firewalls, intrusion detection systems and strong IT staff, Steiner says. But there’s one vulnerability no amount of technology can patch: people.
“The weakest link in cybersecurity is the human factor,” Steiner says. “It’s always been that way, it will always be that way.”
Ransomware attacks have been escalating in recent years. The pivot to remote work during the pandemic didn’t help. Washington state saw 150 reported ransomware attacks in 2021. That’s a huge spike — more than the total number of ransomware attacks from the past five years combined. Ransomware technology is improving rapidly, and many organizations are just starting to catch up. But there’s also a huge shortage of trained cybersecurity professionals.
“The threats have never been greater,” Bob Ferguson, the state Attorney General, said in a November report detailing the record year of cyber attacks.
Steiner says the attack isn’t necessarily Whitworth’s fault. Training staff to avoid phishing scams can help protect from stuff like this, Steiner says, but at the end of the day, everyone is vulnerable.
Hunter Smit, a recent Whitworth grad, says he doesn’t think blame falls fully on Whitworth, and that he’s grateful to the school’s technology team for working around the clock to get the issue fixed. Still, he wishes there was more information available. He says the hack has made it difficult for his wife, who is starting a graduate program in a couple weeks, to communicate with the university.
“It happened to Whitworth, it can happen to anybody,” Steiner says. "Once it happens to one university, then the LockBit people can say, ‘Okay, let's try another university.’”
Editor's Note: This story was updated Thursday, Aug. 18, to correct information about Washington law, which does require the disclosure of data breaches if personal information is at risk.