University of Utah update on data security incident

On Sunday, July 19, 2020, computing servers in the University of Utah’s College of Social and Behavioral Science (CSBS) experienced a criminal ransomware attack, which rendered its servers temporarily inaccessible. The university notified appropriate law enforcement entities, and the university’s Information Security Office (ISO) investigated and resolved the incident in consultation with an external firm that specializes in responding to ransomware attacks.

It was determined that approximately .02% of the data on the servers was affected by the attack. This data included employee and student information. The ISO assisted the college in restoring locally managed IT services and systems from backup copies. No central university IT systems were compromised by the attack on the college.

As a precautionary measure, on July 29, 2020, students, staff and faculty were directed to change their university passwords. Because the CSBS servers hosted data and IT services for itself and a small group of colleges, departments and administrative units, asking users to update their passwords was a prudent response. 

Summary and timeline of events:

On Sunday, July 19, 2020, the university’s College of Social and Behavioral Science (CSBS) notified the U’s Information Security Office (ISO) of a ransomware attack on CSBS computing servers and networks. Content on the compromised CSBS servers was encrypted by an unknown entity and no longer accessible by the college.

What steps were taken once the attack was identified?

CSBS servers were immediately isolated from the rest of the university and the internet. The university notified appropriate law enforcement entities, and the ISO began actively investigating the matter. An outside consultant with expertise in handling these types of situations was also engaged to support the investigation.

What is ransomware?

Ransomware is a form of attack in which, after gaining access to a system, the attacker encrypts a victim’s files then demands a ransom to restore access to the data. More recently, attackers have also begun to steal sensitive data before encrypting it, then threatening to release the data on the internet if the ransom is not paid. Higher education is increasingly becoming a target of ransomware attacks, with other institutions such as Michigan State University and University of California San Francisco also targeted during the same time period.

Why wasn’t the campus community instructed to change their passwords sooner?

In any data security incident, there must be a full understanding of what information may have been stolen and how access was gained. It is also critical to work with law enforcement to determine what steps need to be taken legally, if any. After a thorough review of the facts, all students, faculty and staff were directed to change their passwords. Because of the size and scope of such a request, preparations had to be made to ensure that password resets went smoothly in each campus entity.

How was this situation resolved?

After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker. This was done as a proactive and preventive step to ensure information was not released on the internet.

Each ransomware attack involves a unique set of complex factors that an organization considers before deciding if/how to respond. The University of Utah is aware of, and sensitive to, short-term and long-term issues raised when responding to a ransom threat. We recognize that there is risk associated with any outcome in a ransomware attack, including uncertainty that the threat actor will adhere to negotiated terms.

University leadership worked closely with appropriate law enforcement entities, and consulted with a professional ransom negotiation firm. We provided all relevant evidence for the incident, including payment details, to law enforcement. All intelligence and guidance we received indicated that the threat actor would follow through on their threat if ransom was not paid, and that historically there has been no evidence of them retaining or otherwise misusing stolen data once ransom is paid.

Based on the specific characteristics of the case, and based on guidance we received about the attack and the threat actor, the university decided to err on the side of caution in protecting individuals’ and institutional data.

How much ransom was paid by the university?

$457,059.24 USD at the time of the transaction.

What funds were used to pay the ransom?

The university’s cyber insurance policy paid part of the ransom, and the university covered the remainder. No tuition, grant, donation, state or taxpayer funds were used to pay the ransom.

What is the nature of the information that might have been accessed?

The data contained student and employee information. The university is still reviewing the incident to determine the nature of the data that was accessed. This notice will be updated when more information is available.

Is there anything students, faculty and staff need to do?

Continue to use strong passwords, change them at regular intervals and use two-factor authentication. This is the best way to prevent security incidents in a large, complex organization like the University of Utah. There are no other steps members of the university community need to take.

Is CSBS back online?

Yes. CSBS servers were cleaned, and college data was reinstalled from system backups.

Is the University of Utah vulnerable to additional ransomware attacks? 

The university has made substantial investments in technology to monitor and protect the university community against attacks, including ransomware threats. Networks and IT infrastructure are monitored 24 hours a day, and the IT environment is continuously assessed to identify any vulnerabilities that need to be addressed.

Despite these processes, the university still has vulnerabilities because of its decentralized nature and complex computing needs. This incident helped identify a specific weakness in a college, and that vulnerability has been fixed. The university is working to move all college systems with private and restricted data to central services to provide a more secure and protected environment. The university is also unifying the campus to one central Active Directory and moving college networks into the centrally managed university network. These steps, in addition to individuals using strong passwords and two-factor authentication, are expected to reduce the likelihood of an incident like this occurring again.