A ransomware attack has crippled Whitworth University's computer network and left students scrambling to make plans and find information for the coming school year.
On July 29, the school's website went down. So did the entire campus network. Two weeks later, with the website still on the fritz, the school directed students to a barebones, temporary website for contact details and other essential information.
On Aug. 10, LockBit, a prominent ransomware group, claimed responsibility for the cyberattack. On their website, the Russia-based hacker group claimed to have 715 gigabytes of Whitworth data relating to “accounting, marketing, infrastructure, documents and more.” The message was accompanied by a timer counting down to Aug. 23. If a cryptocurrency ransom isn’t paid by then, the group is threatening to release all the data. It’s unclear exactly how much money the group is demanding.
On Wednesday, Aug. 17, the message was no longer visible on LockBit’s website, which is only accessible with a Tor browser. The Inlander is not linking to the group’s page because it contains stolen, sensitive information from other organizations. Whitworth’s main website was still down on Wednesday.
The removal of Whitworth’s name from LockBit’s page could indicate a completed ransom payment, but it could also be temporary, as LockBit sometimes removes the names of organizations from their website during negotiations.
The removal of Whitworth’s name from LockBit’s page could indicate a completed ransom payment, but it could also be temporary, as LockBit sometimes removes the names of organizations from their website during negotiations.
The university sent the following statement to the Inlander in response to questions:
“A security issue was recently discovered in Whitworth University’s network and immediately acted upon thanks to the quick response of our information systems department. We are still working through this process with assistance from a team of external forensic experts. We realize this is a critical issue and are working to rectify it and restore service as quickly as possible.”
The statement was also shared with faculty and employees. The school did not answer questions about the nature of the data compromised by the breach, how the school plans to respond to the hacker’s demands or whether students should be concerned about leaked personal data or an impact to the start of the school year.
Organizations are often hesitant to talk publicly about cyberattacks because of concerns about damage to their reputation, or signaling vulnerabilities to other hackers. Washington law requires businesses, individuals and public agencies to notify people within 30 days if they are at risk of harm because their personal information was compromised in a data breach. In March, after Russian cyberattacks escalated in response to sanctions, President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires organizations working in critical industry sectors like energy and healthcare to report cyberattacks within 72 hours. The law doesn’t apply to universities.
To pay or not to pay is a perennial question in the world of cybersecurity. The FBI — concerned about emboldening criminals — discourages organizations from negotiating with hackers and paying ransoms. But Stu Steiner, an assistant professor of cybersecurity at Eastern Washington University, says it usually happens anyway.
“To be God-honest truthful, most companies in the U.S. just pay,” Steiner says.
Organizations are often hesitant to talk publicly about cyberattacks because of concerns about damage to their reputation, or signaling vulnerabilities to other hackers. Washington law requires businesses, individuals and public agencies to notify people within 30 days if they are at risk of harm because their personal information was compromised in a data breach. In March, after Russian cyberattacks escalated in response to sanctions, President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires organizations working in critical industry sectors like energy and healthcare to report cyberattacks within 72 hours. The law doesn’t apply to universities.
To pay or not to pay is a perennial question in the world of cybersecurity. The FBI — concerned about emboldening criminals — discourages organizations from negotiating with hackers and paying ransoms. But Stu Steiner, an assistant professor of cybersecurity at Eastern Washington University, says it usually happens anyway.
“To be God-honest truthful, most companies in the U.S. just pay,” Steiner says.
"We have no information about what's going on."
For students and families at Whitworth, the hack has created a logistical mess. Students are scheduled to move in on Sept. 3. Classes start four days later.
Victoria Schauer, a senior at Whitworth, tells the Inlander that she hasn’t been able to access her class schedule, financial aid information or her school email account. It’s been stressful. This fall is supposed to be Schauer’s final quarter at Whitworth, and she worries about finalizing the classes she’ll be taking.
“We only have a couple of weeks until our classes start up again, and there’s absolutely no way for us to get any information on our semester,” Schauer says.
Schauer says she’s frustrated by a lack of communication from Whitworth. In the two-and-a-half weeks since the attack, the school has made three Facebook posts about their computer network, none of which directly mention the hack:
Victoria Schauer, a senior at Whitworth, tells the Inlander that she hasn’t been able to access her class schedule, financial aid information or her school email account. It’s been stressful. This fall is supposed to be Schauer’s final quarter at Whitworth, and she worries about finalizing the classes she’ll be taking.
“We only have a couple of weeks until our classes start up again, and there’s absolutely no way for us to get any information on our semester,” Schauer says.
Schauer says she’s frustrated by a lack of communication from Whitworth. In the two-and-a-half weeks since the attack, the school has made three Facebook posts about their computer network, none of which directly mention the hack:
- July 29: “The campus network is currently down, which includes the Whitworth website. We will keep you posted when it has been restored.”
- Aug. 1: “We are continuing to work to restore our systems, including the Whitworth website. We appreciate your patience and will continue to keep you updated”
- Aug. 13: “While we continue to work to restore our systems, a temporary website is available at www.whitworth.edu with key contact information and resources”
“We have no information about what’s going on,” Schauer says.
Concerned students and parents have taken to the school’s Facebook page to ask questions about financial aid, room assignments, classes and other logistics that need to be addressed before the start of school. The school has told commenters that deadlines for things like tuition payments will be extended, and has directed people seeking specific information to call school offices directly, but warned that they are experiencing a high volume of calls.
“It’s hard for people — especially people that are planners and like to understand and have a plan for what’s going on, like myself,” Schauer says.
Michael Gamlem III graduated from Whitworth in 2019, but he worries the school might still have his personal financial data on file. He wishes the school would tell people what exactly the hackers took so they know if they need to take action to protect their accounts.
"Obviously, it's easier to catch those things if you know about them beforehand," Gamlem says.
Madison Gotthardt, a senior, says she, too, is concerned about the lack of information. There’s a lot of uncertainty and rumors flying around, Gotthardt says. She’s been emailing professors to try to change one of the classes on her schedule because she can’t change it through the website. The situation has been especially stressful for incoming students who are still figuring out how to navigate classes, dorms and other aspects of college life, Gotthardt says.
“It would be very stressful to be in the dark about all that,” she says.
Both Gotthardt and Schauer say they understand that the attack has left Whitworth officials in a difficult and sensitive situation. Still, they wish the school was being more transparent about what’s going on. Not being able to check your class schedule or email is one thing, but the potential release of personal information is even more worrying. It’s still unclear what exactly the hackers have, but 715 gigabytes is a lot of data for a small private university. In attacks where personal data is obtained, there are concerns about the release of student names and financial information, including social security numbers.
“I think that’s a huge concern,” Schauer says.
A GROWING THREAT
“It’s hard for people — especially people that are planners and like to understand and have a plan for what’s going on, like myself,” Schauer says.
Michael Gamlem III graduated from Whitworth in 2019, but he worries the school might still have his personal financial data on file. He wishes the school would tell people what exactly the hackers took so they know if they need to take action to protect their accounts.
"Obviously, it's easier to catch those things if you know about them beforehand," Gamlem says.
Madison Gotthardt, a senior, says she, too, is concerned about the lack of information. There’s a lot of uncertainty and rumors flying around, Gotthardt says. She’s been emailing professors to try to change one of the classes on her schedule because she can’t change it through the website. The situation has been especially stressful for incoming students who are still figuring out how to navigate classes, dorms and other aspects of college life, Gotthardt says.
“It would be very stressful to be in the dark about all that,” she says.
Both Gotthardt and Schauer say they understand that the attack has left Whitworth officials in a difficult and sensitive situation. Still, they wish the school was being more transparent about what’s going on. Not being able to check your class schedule or email is one thing, but the potential release of personal information is even more worrying. It’s still unclear what exactly the hackers have, but 715 gigabytes is a lot of data for a small private university. In attacks where personal data is obtained, there are concerns about the release of student names and financial information, including social security numbers.
“I think that’s a huge concern,” Schauer says.
A GROWING THREAT
Steiner says the group behind the cyberattack almost certainly means business when they threaten to release Whitwoth’s data. They have a reputation to uphold, he says, and a history of releasing sensitive data from other organizations. Groups like LockBit will often release parts of the data publicly on their website so people can see that they actually have it, and then sell the rest on the dark web, Steiner says.
Steiner says 2020 saw a huge increase in the number of cyberattacks on American universities, though many of those attacks were driven by the theft of intellectual property related to COVID-19 research. As the pandemic has subsided, hackers are continuing to target universities and pivoting towards other types of data that can be stolen, held for ransom, and, in some cases, sold on the dark web.
“They’ve realized that universities are a ripe target,” Steiner says.
It’s still unclear exactly how hackers were able to infiltrate Whitworth’s network, but Steiner says it was almost certainly a phishing attack, which generally involves a fraudulent email directing the recipient to download something or enter their password info. Most universities actually have pretty good defenses in the form of multilayered firewalls, intrusion detection systems and strong IT staff, Steiner says. But there’s one vulnerability no amount of technology can patch: people.
“The weakest link in cybersecurity is the human factor,” Steiner says. “It’s always been that way, it will always be that way.”
Ransomware attacks have been escalating in recent years. The pivot to remote work during the pandemic didn’t help. Washington state saw 150 reported ransomware attacks in 2021. That’s a huge spike — more than the total number of ransomware attacks from the past five years combined. Ransomware technology is improving rapidly, and many organizations are just starting to catch up. But there’s also a huge shortage of trained cybersecurity professionals.
“The threats have never been greater,” Bob Ferguson, the state Attorney General, said in a November report detailing the record year of cyber attacks.
Steiner says the attack isn’t necessarily Whitworth’s fault. Training staff to avoid phishing scams can help protect from stuff like this, Steiner says, but at the end of the day, everyone is vulnerable.
Hunter Smit, a recent Whitworth grad, says he doesn’t think blame falls fully on Whitworth, and that he’s grateful to the school’s technology team for working around the clock to get the issue fixed. Still, he wishes there was more information available. He says the hack has made it difficult for his wife, who is starting a graduate program in a couple weeks, to communicate with the university.
Steiner says 2020 saw a huge increase in the number of cyberattacks on American universities, though many of those attacks were driven by the theft of intellectual property related to COVID-19 research. As the pandemic has subsided, hackers are continuing to target universities and pivoting towards other types of data that can be stolen, held for ransom, and, in some cases, sold on the dark web.
“They’ve realized that universities are a ripe target,” Steiner says.
It’s still unclear exactly how hackers were able to infiltrate Whitworth’s network, but Steiner says it was almost certainly a phishing attack, which generally involves a fraudulent email directing the recipient to download something or enter their password info. Most universities actually have pretty good defenses in the form of multilayered firewalls, intrusion detection systems and strong IT staff, Steiner says. But there’s one vulnerability no amount of technology can patch: people.
“The weakest link in cybersecurity is the human factor,” Steiner says. “It’s always been that way, it will always be that way.”
Ransomware attacks have been escalating in recent years. The pivot to remote work during the pandemic didn’t help. Washington state saw 150 reported ransomware attacks in 2021. That’s a huge spike — more than the total number of ransomware attacks from the past five years combined. Ransomware technology is improving rapidly, and many organizations are just starting to catch up. But there’s also a huge shortage of trained cybersecurity professionals.
“The threats have never been greater,” Bob Ferguson, the state Attorney General, said in a November report detailing the record year of cyber attacks.
Steiner says the attack isn’t necessarily Whitworth’s fault. Training staff to avoid phishing scams can help protect from stuff like this, Steiner says, but at the end of the day, everyone is vulnerable.
Hunter Smit, a recent Whitworth grad, says he doesn’t think blame falls fully on Whitworth, and that he’s grateful to the school’s technology team for working around the clock to get the issue fixed. Still, he wishes there was more information available. He says the hack has made it difficult for his wife, who is starting a graduate program in a couple weeks, to communicate with the university.
Steiner says he anticipates seeing more cyberattacks on universities.
“It happened to Whitworth, it can happen to anybody,” Steiner says. "Once it happens to one university, then the LockBit people can say, ‘Okay, let's try another university.’”
“It happened to Whitworth, it can happen to anybody,” Steiner says. "Once it happens to one university, then the LockBit people can say, ‘Okay, let's try another university.’”
Editor's Note: This story was updated Thursday, Aug. 18, to correct information about Washington law, which does require the disclosure of data breaches if personal information is at risk.
