In late July, Whitworth University undergraduate Byron Gustafson tried to access information on his university’s website, but his request did not go through. At first, he assumed the glitch was temporary. But three days later, he saw a brief post from the university indicating that the institution was experiencing technical difficulties. In search of more information than the university provided, he checked the “Whitworth Confessions” Instagram account, where reports circulated widely that the university had been hit by a ransomware attack.
“My anger in this whole event is the lack of transparency,” Gustafson said. “They sent [an] email … about changing our passwords for ‘digital hygiene’ about a week after the website went down.”
On Wednesday, nearly three weeks later, Whitworth acknowledged for the first time what many concerned and frustrated students and faculty had suspected all along: the institution had been hit by a cyberattack. The university has neither confirmed nor denied rumors that the cyberattack involved ransom.
“On Friday, July 29, we became aware that our information systems had been accessed by outside actors. Our information technology and instructional resources (IT/IR) teams worked tirelessly alongside cybersecurity experts to stop the incident and have been restoring systems as fast as they can. We expect to restore about 95 percent of normal operations by Aug. 31,” a statement on the Whitworth website said.
The message, which was not attributed to an individual, indicated that experts would continue to work to identify what and whose information was accessed. The message promised to notify affected community members right away should that be necessary and thanked community members for their patience.
After the Whitworth website disappeared in late July, the institution had posted an emergency website listing the phone numbers and email addresses of campus offices. The website, which is still active today, has precisely four links—one each for “general information,” “prospective students,” “new and returning students,” and “alumni and parents.”
Until Wednesday, the university had confirmed the outage in a terse written statement but had not offered information about its cause. Students, faculty members and alumni were frustrated and concerned by the lack of communication. In the absence of information, many seized on then-unverified reports that the cause was not only a cyberattack but a ransomware attack.
“The word ‘hack’ has never been used,” a Whitworth faculty member told Inside Higher Ed Wednesday, hours before the university released the updated message. “The word was ‘don’t touch anything’ and ‘don’t get on your computers at work.’” The Wi-Fi was down, and the phones were out of commission, according to the faculty member, who requested anonymity because of concerns about recriminations from administrators.
Colleges and universities experienced a surge in ransomware attacks in 2021, and those attacks had significant operational and financial costs.
“Once [a cyberattack] happens, it is critical that there’s a forensic effort that goes on to determine where they got in, what they actually have, and how significant it is,” said Shaun McAlmont, CEO of NINJIO, a cybersecurity-awareness training company. McAlmont said he knew nothing about the specific situation at Whitworth. “As soon as you’re aware of that type of information, you’ve got to let people know if they’re at risk.”
“A lack of communications leads your constituents to believe something,” said Tricia Clay, chief information officer of Hudson County Community College and a group leader of the cybersecurity community run by Educause, the higher education technology association. Clay also said she knew nothing about the specific situation at Whitworth.
The LockBit ransomware group claimed responsibility for the attack, indicating that it stole 715 GB of data and set a ransom deadline of Aug. 23, according to an article the newspaper Inlander published on Wednesday. Many students and faculty members had been alerted to this possibility by BetterCyber, a private cybersecurity company, that tweeted this information on August 10. LockBit is often distributed as an email attachment or exploits web browser vulnerabilities, after which it “encrypts files, renders them inaccessible, and demands payment for the decryption key,” according to Microsoft.
“Ransomware is a terrible thing, and if that’s what’s going on, I absolutely have sympathy for my school,” Gustafson said hours before the updated university message. “But not telling us, and not telling us that our financial and personal info could have or has been compromised, trying to play coy about the whole issue, it’s a trust-breaking event.”
Gustafson said that he and many other students would have been “beyond willing” to support the university if it had simply offered a timely statement that community members needed to take proactive steps to protect their personal and financial information.
Faculty members teaching summer classes when the technical issues surfaced weeks ago were unable to use their university email accounts. Many elected to communicate with students using personal accounts, according to the Whitworth faculty member.
While the university has confirmed that its network issues resulted from external actors, it has not revealed the magnitude of the attack or used the word “ransom.”
“I hope Whitworth University chooses transparency and updates the community,” said Hunter Smit, an alumnus who earned a bachelor’s degree in 2019 and a master’s in business administration in 2020 said hours before the updated message. “The university extensively taught the principle of transparency in an organization during a crisis. When an organization leads with transparency, they control the narrative.”