ECU Logo

East Central University: Notice of Data Incident


East Central University is providing notice of a recent data incident that potentially compromised the security of some private information that ECU maintains. The information on this webpage intends to share what happened, what the University is doing in response to the incident, and what steps individuals can take to help protect against the misuse of their information.


What Happened?

East Central University experienced a directed attack from a cybercriminal group and malicious software known as BlackSuit.  While the criminals were not successful in taking down ECU’s critical services, they were able to conduct a successful attack on a variety of campus computers.


Who is BlackSuit?

BlackSuit is a very active cybercriminal ransomware group that is believed to be a spinoff of a known malicious party called Royal.  Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) believe that Royal/BlackSuit have had over 350 known victims with ransomware demands of more than $275 million worldwide. BlackSuit has taken credit for taking down other school systems around the country.


What did the attackers do?

BlackSuit attempted to attack ECU systems, steal data, encrypt ECU computers, and otherwise extort the campus. 


How were the attackers able to get into ECU systems?

The specific entry point to the ECU campus is current unknown. However, it is widely accepted that the BlackSuit attackers attempt to gain entry through infected email attachments, malicious websites, pop-up-ads, and a variety of trojan applications. 

While we cannot definitively say how the attackers were able to get in, we did see an increase in spam/malicious emails in the days leading up to the attacks.


What was affected by the attack?

A variety of utility and file servers were attacked and encrypted by the ransomware tools.  Critical university systems, which had additional security controls in place, were not affected by the attack.


What did ECU do in response to the attack?

Upon learning of the attack, ECU I.T. brought in a 3rd party cyber security response team to assist in stopping and recovering from the attack.

The two teams immediately began working through incident response protocols to determine the scope of the attack, deploy countermeasures, gather forensic data, and gain visibility into the campus network/systems. 

Additionally, ECU I.T. began resetting passwords, evaluating critical services, and otherwise deploying new servers to restore services that were affected by the attack.


What is ECU doing to prevent this sort of attack in the future?

It can be very difficult to prevent a targeted attack from an advanced malicious party, and unfortunately there is not a single solution that we can deploy that will protect us from every kind of attack. 

However, ECU I.T. is working closely with the 3rd party cyber security team to look for ways to enhance security, understand attack points, and otherwise help the campus become more aware of the new tactics used by attackers.


How will I know if my data was involved?

We are still investigating the scope and scale of the data involved on the servers that were attacked.  We will keep our community updated as we find out additional information.


What can I do to keep myself safe if my data was involved?

The scope and scale of the data involved on the servers attacked are still being investigated, but currently there has been no evidence that any information was taken.  Recently, we determined that a number of individual names and Social Security numbers may have been accessible to the criminal group – while we have no confirmation that they were in fact accessed, much less taken, we are providing this notice while we continue to investigate.

We recommend you visit for steps to take if your information is or may be compromised. We encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports for suspicious activity and to detect errors for the next 12 to 24 months.  If you suspect fraud in your accounts, please report such activity to Mary LaMack  Please also review the information below on the Steps You Can Take to Protect Your Information.  



How do I know if my name and Social Security number were compromised? 

At this point we do not have any verification of specific accounts or information that were accessed or removed from ECU systems. Out of an abundance of caution, we recommend you visit and review the information below on the Steps You Can Take to Protect Your Information  for steps to take if your information is or may be compromised. 

If you know or suspect you are a victim of tax-related identity theft, the IRS recommends these additional steps:

  1. Respond immediately to any IRS notice; call the number provided.
  2. Complete IRS Form 14039, Identity Theft Affidavit, if your efiled return rejects because of a duplicate filing under your SSN or you are instructed to do so. Use a fillable form at, print, then attach the form to your return and mail according to instructions.
  3. If you previously contacted the IRS and did not have a resolution, contact them for specialized assistance at 1-800-908-4490. They have teams available to assist.

 Information regarding Oklahoma tax returns can be found at



Monitor Accounts

Under U.S. law you are entitled to one free credit report annually from each of the three major credit reporting bureaus.  We recommend periodically obtaining credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted.  To order your free credit report, visit or call, toll-free, 1-877-322-8228.  You may also contact the three major credit bureaus listed below directly to request a free copy of your credit report.  

You have the right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization.  The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent.  However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit.  Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report.  Should you wish to place a security freeze, please contact the major consumer reporting agencies listed below:

Experian: P.O. Box 9554, Allen, TX 75013  / 1-888-397-3742

TransUnion: P.O. Box 160, Woodlyn, PA 19094 /  1-888-909-8872

Equifax: P.O. Box 105788, Atlanta, GA 30348-5788 / 1-800-685-1111  

To request a security freeze, you will need to provide specific information as requested by the agencies. 

As an alternative to a security freeze, you have the right to place an initial or extended “fraud alert” on your file at no cost.  An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file.  Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years.  Should you wish to place a fraud alert, please contact any one of the agencies listed below:

Experian: P.O. Box 9554, Allen, TX 75013  / 1-888-397-3742

TransUnion: P.O. Box 160, Woodlyn, PA 19094 /  1-888-909-8872

Equifax: P.O. Box 105788, Atlanta, GA 30348-5788 / 1-800-685-1111  



Who can I contact if I have additional questions?

Email or call 580-559-5967.