In August, Whitworth University confirmed they had experienced a cyberattack in July. In that statement, they pledged to notify those impacted right away. They didn’t — unless you have a very liberal definition of “right away.”  Earlier this month, the university notified the state attorney general’s office of the breach, as The Spokesman-Review reports.

As those who reported on the attack knew back in August, LockBit claimed responsibility for the attack. They had added Whitworth to their leak site but then removed the listing. Removing a listing often indicates that the victim paid the ransom demand.

Even now, however, Whitworth is not being transparent about the incident or any ransom payment, citing an ongoing criminal investigation as their excuse or explanation for not revealing more.

The total number affected is not yet known, although Whitworth’s report indicates that 5,182 residents of Washington state were affected.