Posted On April 5, 2023 Consumer Privacy & Data Breaches
April 5, 2023 – After what appears to have been a ransomware attack, Lewis & Clark College (“Lewis & Clark”) posted a notice on its website on March 31, 2023 announcing it. Later, information about Lewis and Clark College students was leaked online by the notorious ransomware gang known as Vice Society. While Lewis & Clark has not yet provided an update in light of this discovery, notification letters are expected to be sent out once the college has reviewed the leaked data and identified the individuals to whom it belongs.
Console & Associates, P.C. urges anyone who has received a communication from Lewis & Clark College about a data breach to speak with one of our data breach lawyers as soon as possible. We’re here to help you figure out what to do next, get advice on safeguarding yourself, and evaluate whether or not you have grounds to pursue a lawsuit against Lewis & Clark over a data breach.
Lewis & Clark College is a private institution in Portland, Oregon that offers three degree programs: an undergraduate College of Arts & Sciences, a graduate School of Education & Counseling, and a School of Law. The school first opened its doors in 1867, and today it is home to around 3,500 undergraduate and graduate students. In addition to generating around $100 million in annual income, Lewis & Clark College employs over 524 people.
A post on the school’s website claims that on March 3, 2023, Lewis & Clark was the victim of a cyberattack that had serious consequences for the university’s information technology infrastructure. Upon further inquiry, Lewis & Clark determined the incident was the result of a ransomware attack and gave additional details.
Lewis & Clark made the decision to forego paying the desired ransom, which led the Vice Society to post some of the stolen information on the Dark Web. Lewis & Clark is not currently encouraging students to take any protective measures because it does not have information that is reliable about the exposed information. If the school is able to validate the hackers’ assertions, however, that might change.
We don’t know what kind of data was compromised in the incident just yet, but you shouldn’t wait too long to take action to protect your data. It’s possible that your personal details are already in the hands of hackers and identity thieves.
Listed below are some preventative measures you can start implementing right away. This is not an exhaustive list, and you may want to take further action if the data breach compromises your financial information.
Keeping a tight eye on your finances is usually a good idea. Keep an eye on your bank accounts, credit card statements, and credit profile, and report any unusual behavior to law enforcement immediately.
The security of your online accounts should be a top priority even if your financial data was not stolen. It’s time to update all of your passwords. In order to complete a fraudulent or identity theft transaction, hackers often hunt for additional accounts containing the victim’s personal information. Make use of two-factor authentication if available.
The major credit bureaus all provide free services to help keep your credit secure, including the ability to freeze credit and report fraud. With a credit freeze in place, no one may access your credit report without your permission. A fraud alert serves as a warning signal to other businesses. Any business that pulls your credit report will be alerted to the fact that your personal data may have been stolen and you may be the target of identity theft or fraud.
The consumer privacy lawyers at Console & Associates, P.C. help customers affected by data and security breaches pursue legal solutions by offering free consultations. By explaining your rights in clear, concise terms, we help you make an informed decision about your next steps. If you are a victim of the Lewis & Clark College data breach, Console & Associates, P.C. will investigate at no charge to you and offer advice on how to proceed. If you decide to pursue a case, rest assured that we don’t get paid unless you do. If your claim is successful, legal fees are either paid out of the funds recovered or by the defendant. If your claim is not successful, you pay nothing.
Below is a portion of the notice posted on their website:
Dear LC Community,
As you are aware, we experienced a cyberattack beginning on March 3 which significantly impacted almost all IT systems on campus. We are now at a point in our response in which we are able to share more information about the nature of the incident.
It is common in such an instance for the attackers to use ransomware, which is a type of malicious software, or malware, to prevent the victim from accessing their computer files, systems, and networks until a ransom is paid. We now know that the attack was perpetrated by a group known for similar attacks against educational institutions.
Following the advice of law enforcement and our external experts, the college has chosen not to pay ransom. Instead, we have worked nonstop to rebuild our IT systems from backups which are regularly retained by the college. At the same time, we have been working with a cybersecurity forensic firm to assess whether and to what extent there has been any compromise of protected or otherwise sensitive data as a result of this incident.
The cybercriminals responsible for the incident now claim to have published a limited amount of Lewis & Clark data on a “dark web” website maintained by the threat actors. Our external cyber forensic firm is helping us to investigate this claim. We are currently working to retrieve the information, at which time we will conduct a thorough review. When cybercriminals publish data of this nature, they do so on portions of the internet that are unindexed, not easily searchable, and only accessible by means of special software, which means that it may take a while to investigate the scope and nature of this claim.
Given that we do not have reliable information about the scope or content of the allegedly published data, there is no action for you to take at this time. In the event we determine that the incident resulted in unauthorized access or acquisition of protected information related to students, faculty, staff, parents, or other friends of the college, we will provide notification to impacted individuals in accordance with state and federal regulations.
To date, we do not have evidence that the information involved in this incident has been used for identity theft or financial fraud. We are taking this very seriously and using all resources available to conduct a thorough and diligent review of the impacted data.
As a reminder, if you receive communications from persons claiming to have your personal information, or which are otherwise suspicious, please do not respond, and immediately report the incident to [Redacted].
Once again, we appreciate your patience during our continued response to the incident.