The extent of a data breach at Lewis and Clark College in March 2023 is becoming more clear as state reporting agencies disclose the number of affected residents. Based on the available figures, at least 11,000 records were compromised, and the total figure is likely much higher.
Five state reporting agencies disclosed the number of residents affected by the cyber attack: Washington (9,725), Maine (110), Massaschusetts (455), Montana (227), and Texas (895). In total, that’s 11,412 records.
Those figures do not include people from the other states and countries, and notably doesn’t include the number of victims in Oregon, where the school is located and where the majority of students come from.
Lewis & Clark College’s total active enrollment is about 3,500 students. About 70 percent of new students are from Oregon, according to the school’s website.
Dr. Lois Leveen, Lewis and Clark’s director of public relations, told Comparitech in an email:
“Last year, Lewis & Clark was subject to a ransomware attack, perpetrated by a group known for similar attacks against educational institutions.We had excellent, encrypted backup, which allowed us to restore operations relatively quickly. We also had proactively secured supports that allowed us to access outside cybersecurity experts quickly, and we continue to work with a cybersecurity forensic firm.Following the advice of law enforcement and our external cybersecurity experts, the college chose not to pay any ransom.”
Former and current Lewis & Clark students, applicants, and staff should be on the lookout for signs of identity theft and fraud. Keep a close eye on your credit reports and bank statements for suspicious activity. Make sure no one files taxes in your name, and file as early as possible. Take advantage of free credit monitoring if it’s offered to you. Look out for phishing emails from scammers posing as Lewis & Clark or a related organization. Never click on links or attachments in unsolicited emails.
What data was stolen?
The attack was claimed by hacker group Vice Society in March 2023. The group posted a proof pack allegedly containing passports and “documents that included Social Security numbers, insurance files, W-9 forms, contracts and more.”
Washington state’s data breach notification site states the stolen data included “Name; Social Security Number; Financial & Banking Information; Full Date of Birth; Student ID Number; Passport Number; Health Insurance Policy or ID Number; Medical Information.”
Maine’s state disclosure site also mentions financial info.
Breach notificaitons have also been submitted to Oregon, California, and Vermont, but are not available to the public at time of writing.
Cyber attacks plague US schools and universities
Comparitech tracked 98 attacks on US education facilities in 2023, affecting nearly 2.1 million records.
Ransomware attacks are a growing concern for schools and colleges worldwide. They take down key systems, shut schools for days on end, and prevent teachers from accessing lesson plans and student data.
Most schools don’t disclose ransom demands, but those that did ranged from $250,000 to $950,000. Schools suffered average downtime of 11.65 days in 2022.
About Vice Society
Vice Society is a ransomware group known for targeting healthcare, education, and manufacturing. Its targets span Europe and the United States.
The group often extorts victims twice: once to decrypt systems, and again for not selling or publicly releasing stolen data.
Vice Society was also responsible for an attack on Lakeland Community College in the same month that Lewis and Clark was attacked. Lakeland notified 285,948 victims of the attack in September 2023.