Imperial Community College
update on data security incident

 

We value and respect the privacy of our students, employees, partners, and their information. We deeply regret that this incident occurred, and we apologize for any inconvenience or concern it may cause you. The vulnerability that led to the unauthorized access was promptly addressed, and we are further enhancing the security of our systems and trainings to help prevent something like this from happening again.

 

On Thursday August 6, 2020, just 11 days before the start of the Fall semester, computing systems at Imperial Community College experienced a criminal ransomware attack, which rendered its servers temporarily inaccessible. The college's Information Technology Departmentnotified appropriate law enforcement entities, and engaged a third-party forensic company to investigate the cause and scope of the incident

 

It was determined that approximately .09% of the data on the servers was affected by the attack. Furthermore, it was determined that the unauthorized access may have allowed access to individuals' personal information, but there is no indication that any information potentially was misused during this incident. ICCD has identified no evidence that any sensitive information was accessed, viewed or downloaded, however, such actions cannot be ruled out.

 

For more information, or to determine whether you may have been affected by this incident, contact ICCD's dedicated call center at 855-914-4656, Monday through Friday, 6:00 a.m. to 6:00 p.m. Pacific Time.

 

Summary and timeline of events:

On Thursday, August 6, the College's IT department became aware of a ransomware attack onthe computing servers. Content on the compromised servers was encrypted by an unknown entity and no longer accessible by the college. The ransomware variant associated with the attack wasSodinokibi. On October 16, 2020, after a thorough investigation, Imperial Community College District learned that the unauthorized access may have enabled access to individuals' personal information.

 

While we have no reason to believe that any information was viewed or misused during this compromise, and while some of this information may not constitute personal information under the law, Imperial Community College District feels it necessary to ensure you are properly informed of this incident. We recommend that you remain vigilant in regularly reviewing and monitoring all of your account statements and credit history to guard against any unauthorized transactions or activity. If you discover any suspicious or unusual activity on your accounts, please promptly contact your financial institution or company.

 

What steps were taken once the attack was identified?

College servers were immediately isolated from the rest of the college and the internet. Thecollege notified appropriate law enforcement entities, and the IT department began actively investigating the matter. An outside cyber security consultant with expertise in handling these types of situations was also engaged to support the investigation.

 

What is ransomware?

Ransomware is a form of attack in which, after gaining access to a system, the attacker encrypts a victim's files then demands a ransom to restore access to the data. More recently, attackers have also begun to access sensitive data before encrypting it, then threatening to release the data on the internet if the ransom is not paid. Higher education is increasingly becoming a target of ransomware attacks. Other institutions such as the University of Utah, Michigan State University, University of California San Francisco, and College of the Desert, were also targeted during the same time period.

 

Why are we just learning now about the specifics?

In any data security incident, there must be a full understanding of what information may have been stolen and how access was gained. It is also critical to work with law enforcement to determine what steps need to be taken legally, if any. After a thorough review of the facts, and the facts were known, a report was provided.

August 6th ransomware attack occurred
August 19th Primary systems were stabilized allowing ransomware investigation to begin
August 24 Systems necessary to investigate potential data exfiltration were repaired and in place to begin investigation
September 11th suspect data files were turned over to consultant for inspection

October 16th Received file from consultant and began processing for notification of those affected.
November 3rd Sent out notifications to those affected

 

How was this situation resolved?

After careful consideration, the college decided to work with its cyber insurance provider to pay a fee to the ransomware attacker. This was done as a proactive step to prevent continued disruption to IVC's educational service to students. While the decision was ultimately made to pay the ransom, it was a business decision that weighed the impact of not paying against the disruption of our education processes and start of the Fall semester. The decision to pay the ransom was made with students and employees in mind because it provided the fastest and most cost-effective resolution. It was also a proactive and preventive step to ensure information was not released on the internet.

 

While fully online classes started a week late, the college was able to begin serving students at its original scheduled start date, August 17th. After receipt of decryption keys, the systems were gradually brought back online due to the work of our IT department and the cyber security consultants. The systems needed for teaching/learning and other student focused needs, such as the ability to access on-line classes, register and add/drop classes were set as the top priorities.

 

How much ransom was paid?

$55,068 USD at the time of the transaction.

 

What funds were used to pay the ransom?

The college has a cyber insurance policy in place and is responsible for the deductible of $75,000.


What is the nature of the information that might have been accessed?

It is important to note that there is no evidence to suggest that any personally identifiable information or personal health information has been misused. Additionally, there is no indication that any associated information is being bought or sold on the internet.

 

The information potentially exposed may have included names and addresses in some combination with either a social security number, tax identification number, financial account information, health information, and/or a username and password.

 

We want to stress that individual letters have been sent to each person. If you have not received a letter you are not likely affected.

 

Is there anything students, faculty and staff need to do?

If you suspect you are impacted, you can contact our hotline number at 855-914-4656, and our operators can answer that question.

 

Continue to use strong passwords, change them at regular intervals and use two-factor authentication. This is the best way to prevent security incidents in a large, complex organization like Imperial Community College.

 

Is the college back online?

Yes. The college servers were cleaned, and college data was reinstalled from system backups and other means.

 

Is the college vulnerable to additional ransomware attacks? 

The college has made substantial investments in technology to monitor and protect the against attacks, including ransomware threats. Networks and IT infrastructure are monitored 24 hours a day, and the IT environment is continuously assessed to identify any vulnerabilities that need to be addressed.

 

Despite these processes, the college still has vulnerabilities because of its open nature and complex computing needs. This incident helped identify a specific weakness and that vulnerability has been fixed. The college is also working to purge old data and to encrypt all other data. These steps, in addition to individuals using strong passwords and two-factor authentication, are expected to reduce the likelihood of an incident like this occurring again.