East Central University: Notice of Data Incident
East Central University is providing notice of a recent data incident that potentially compromised the security of some private information that ECU maintains. The information on this webpage intends to share what happened, what the University is doing in response to the incident, and what steps individuals can take to help protect against the misuse of their information.
FAQ's
What Happened?
East Central University experienced a directed attack from a cybercriminal group and malicious software known as BlackSuit. While the criminals were not successful in taking down ECU’s critical services, they were able to conduct a successful attack on a variety of campus computers.
Who is BlackSuit?
BlackSuit is a very active cybercriminal ransomware group that is believed to be a spinoff of a known malicious party called Royal. Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) believe that Royal/BlackSuit have had over 350 known victims with ransomware demands of more than $275 million worldwide. BlackSuit has taken credit for taking down other school systems around the country.
What did the attackers do?
BlackSuit attempted to attack ECU systems, steal data, encrypt ECU computers, and otherwise extort the campus.
How were the attackers able to get into ECU systems?
The specific entry point to the ECU campus is current unknown. However, it is widely accepted that the BlackSuit attackers attempt to gain entry through infected email attachments, malicious websites, pop-up-ads, and a variety of trojan applications.
While we cannot definitively say how the attackers were able to get in, we did see an increase in spam/malicious emails in the days leading up to the attacks.
What was affected by the attack?
A variety of utility and file servers were attacked and encrypted by the ransomware tools. Critical university systems, which had additional security controls in place, were not affected by the attack.
What did ECU do in response to the attack?
Upon learning of the attack, ECU I.T. brought in a 3rd party cyber security response team to assist in stopping and recovering from the attack.
The two teams immediately began working through incident response protocols to determine the scope of the attack, deploy countermeasures, gather forensic data, and gain visibility into the campus network/systems.
Additionally, ECU I.T. began resetting passwords, evaluating critical services, and otherwise deploying new servers to restore services that were affected by the attack.
What is ECU doing to prevent this sort of attack in the future?
It can be very difficult to prevent a targeted attack from an advanced malicious party, and unfortunately there is not a single solution that we can deploy that will protect us from every kind of attack.
However, ECU I.T. is working closely with the 3rd party cyber security team to look for ways to enhance security, understand attack points, and otherwise help the campus become more aware of the new tactics used by attackers.
How will I know if my data was involved?
We are still investigating the scope and scale of the data involved on the servers that were attacked. We will keep our community updated as we find out additional information.
What can I do to keep myself safe if my data was involved?
The scope and scale of the data involved on the servers attacked are still being investigated, but currently there has been no evidence that any information was taken. Recently, we determined that a number of individual names and Social Security numbers may have been accessible to the criminal group – while we have no confirmation that they were in fact accessed, much less taken, we are providing this notice while we continue to investigate.
We recommend you visit www.identitytheft.gov for steps to take if your information is or may be compromised.
How do I know if my name and Social Security number were compromised?
At this point we do not have any verification of specific accounts or information that were accessed or removed from ECU systems. Out of an abundance of caution, we recommend you visit www.identitytheft.gov for steps to take if your information is or may be compromised.
Who can I contact if I have additional questions?
Email it_updates@ecok.edu or call 580-559-5967.