December 15, 2022
Ransomware in Higher Education: Holding My College Legacy Ransom
Six years after graduation, a ransomware attack is holding my alma mater’s IT infrastructure hostage. Alumni and current students are scrambling to save their data – and their college memories.
I never thought my college IT department would cause another migraine after graduation. On a small liberal arts campus, IT is underfunded on an average day, and it wasn’t uncommon that a kid in your bio lab would be the one installing the mandated antivirus software on your personal laptop. Ransomware attacks are on the rise in higher education – per a report from Sophos, 64% of institutions reported an attack in 2021, and 74% of those attacks succeeded. And with resources like a student with a midterm due, it’s easy to see why.
A few weeks ago, my school suffered a ransomware attack. Now, alumni who were once promised indefinite use of college emails, cloud storage, and other digital resources, have 48 hours to dig through four years of data and memories and decide what to salvage. Current students have been locked out of email, online college courses, registrar grades during finals, and in some cases even campus Wi-Fi since the moment the cyberattack was discovered.
“
Terms like “data loss” start to feel amorphous until you know exactly what that data could mean to those who own it.
”
The hacking group assures us, via an email sent to the alumni and student distribution lists, that even the backup servers are now encrypted with their ransomware, and our personal data is at risk. Social Security numbers, phone numbers, and medical records are all allegedly being put up for sale on the dark web.
The email is riddled with misspellings and slang (“collage” instead of “college;” and many taunts of our “noob security”), and there are no links, so it’s not even trying to phish its recipients. It reads like it could be a bluff – how hilarious that we have your data, your school was too foolish not to pay the ransom – but it also doesn’t take a genius to pull off a ransomware attack of this scale. For a small amount of cryptocurrency, you’d be able to buy prepackaged ransomware that just takes one unsuspecting click in an email to infect an entire network.
The college is still figuring out the extent of the attack, who exactly was impacted and if the attackers aren’t bluffing about our personal data. Young alumni, especially, are left wondering if our most important data had been scrubbed – why would the college need my SSN after six years? Would I have to change banks if they had the routing number of the checking account from my campus jobs? Did I already freeze my credit? What’s an IRS Identity Protection PIN?
To be fair, the college has taken a mostly correct course of action. Systems were shut down immediately, experts were engaged for remediation. Internal communications were sent out. External communications followed. There are assurances that this will all be sorted out, although when the college president sends out an email detailing how to put a freeze on your credit, it doesn’t feel like the school has a lot of agency in this situation.
Slowly but surely the systems are being brought back online (worry not, students, the tuition portal was the first to be salvaged). As a result, permanent changes are being made. Alumni will no longer have access to their email accounts or storage drives. Current students will likely start the next term with an empty inbox.
So what, beyond Social Security numbers, is lost in an attack like this?
For alumni like my best friend, the former editor-in-chief of the student newspaper, the answer can be real American history. She has hours of interview footage of the Little Rock Nine as septuagenarians stored on the drive. Closer to home, she also has hours of footage with a beloved late professor who built the program that put the college on the map. She has archives of the student newspaper. She has the personal history of our friend group, recorded in video projects, photos, scripts of plays we produced at the school, recordings of performances and college honors presentations and awards and anything that we were ever proud of accomplishing, and proud of each other for.
Friends are saving personal, heartfelt emails from favorite professors, some who have now passed. Others are saving messy reply-all drama from Greek life or clubs, for posterity and laughs. Alumni are saving photos, not just from their time at the college, but from their post-college lives (did I mention the near infinite storage perk?).
My roommate, who inexplicably built the last 10 years of her digital life on her college email address, is currently saving her Xfinity account and my access to home Wi-Fi in our new city. Another friend is saving her mortgage agreement.
I write about attacks like this every day, and this time it’s personal. Terms like “data loss” start to feel amorphous until you know exactly what that data could mean to those who own it.
My alma mater is not the only institution struggling, and our alumni network and student body isn’t alone in feeling the stress of recovering from an event like this. Perhaps this attack was entirely preventable; perhaps it was inevitable. It was, for sure, not only an attack on sensitive information, but an attack on four years of someone’s life and all the memories that come with it, good or bad.
The author, an employee of CDW, is waiting on confirmation if any personal sensitive data was exposed and wishes to remain anonymous.