Yet another notification letter provides an example of why we need legislation requiring more transparency in disclosures. A DataBreaches.net OpEd.
Background: The Bluefield University Breach
On May 2, DataBreaches reported a cyberattack involving Bluefield University in Virginia that had first been reported by WVVA. The local media had reported that on May 1, Bluefield had issued a statement saying:
…As you know, on Sunday, April 30, 2023, Bluefield University discovered a cybersecurity attack that impacted our systems. Upon learning of this issue, we immediately engaged independent third-party cybersecurity experts to assist in our review and remediation efforts, but it may be a few days before full functionality can be restored. We are working through the investigation to determine the nature and extent of the incident. However, as of now, we have no evidence indicating any information involved has been used for financial fraud or identity theft.
On May 7, DataBreaches published an update after Avos Locker started leaking data from the breach while claiming it still had access to the university’s systems. And by then, an individual who appeared to be the threat actor started posting on infosec.exchange. They wrote:
We republished the leak because they’re not paying us. 10 minutes after we texted their students, they opened the negotiation chat, send no messages, then disappeared for 5 days. They write “hello, can you help us get our data back?” then stop replying so we don’t care anymore.
the leak post is live and will remain published. Appears they were instructed by FBI to send false messages
Following that post, the threat actor (TA) began telling DataBreaches more about the attack and incident response. Claims made by the TA were incorporated in the May 7 post. DataBreaches emailed the university to inquire about their incident response and the TA’s claims. They did not reply.
On May 12, with the university still not disclosing anything or answering questions, DataBreaches reported that the attack affected employees, students, and some students’ parents. As DataBreaches also reported, the TA still had access and was able to steal more data because Bluefield had not warned the community not to submit personal or sensitive information until the system was secured.
DataBreaches posted a warning to the Bluefield community from DataBreaches:
Students (and staff and faculty): Anything you submit to the university in the way of personal information is currently being seen and acquired by Avos Locker. If the school didn’t warn you about that, well, that’s between you and them, but think twice before you submit any personal or sensitive information to the school until the university manages to lock the hacker out of their systems. And so far, that hasn’t happened.
On May 12, DataBreaches emailed Bluefield again to ask whether they had notified students and parents whose financial aid-related forms were exfiltrated, and whether they notified the faculty and staff whose W-2 records were both exfiltrated and leaked on the dark web already. Once again, they did not reply.
Bluefield’s last update was on May 16. It stated, in part:
Now in the third week following the cybersecurity attack, the University has resumed all critical system operations and is incrementally expanding access across campus. Due to persistent issues in the Outlook environment, a number of student and alumni email accounts have been suspended. We apologize for the inconvenience this has caused, and we are working to reactivate these accounts as soon as we can.
There also have been several images containing personal information of employees and students posted on social media and internet sites over the past two weeks. The University has provided written communication to these individuals notifying them that their personal information may have been exposed due to the cyber incident, along with providing them credit monitoring and other precautionary measures they can take to protect their personal information.
The full update and all previous updates on the incident can still be found at https://www.bluefield.edu/bu-cyberattack-updates/. If that page is removed, a .pdf screencap version is available.
Bluefield University Notifies Maine and Those Affected
On November 27, Bluefield’s external counsel notified the Maine Attorney General’s Office about the breach. According to their submission, the breach occurred between April 29 and May 11 and affected 23,195 people.
Also according to the submission by McDonald Hopkins PLC, the breach was discovered on October 26, 2023. But as the chronology above demonstrates, that is not when the breach was first discovered. Let’s consider the letter Bluefield has now sent out to those affected. It begins:
On May 1, 2023, Bluefield detected unauthorized access to our network as a result of a cybersecurity incident that resulted in the potential exposure of the data we maintain.
Upon learning of this issue, Bluefield secured its network and commenced a prompt and thorough investigation in consultation with outside cybersecurity professionals who regularly investigate and analyze these types of situations. Bluefield devoted considerable time and effort to determine what information was contained in the compromised files. Based on its comprehensive investigation and review, Bluefield discovered on October 26, 2023, that your personal information was potentially removed from our network by the unauthorized party.
Rubbish.
By May 12 at the latest, Bluefield knew or reasonably should have known that data had been exfiltrated. The TA had provided proof of claims, and DataBreaches had posted redacted samples. Bluefield might not have known exactly who and exactly what data types were involved for each and every individual by May 12, but they knew data had been exfiltrated. But almost seven months later, they claim that they “discovered on October 26…. that personal information was potentially removed.” They didn’t.
Almost seven months after they first discovered the breach, they sent notifications. From May 1 to November 27, Bluefield University seems to have left more than 23,000 people in the dark that their data was stolen. The only individuals they notified previously were those whose files showed up on social media or in publications like DataBreaches.net.
We Need Legislation That Requires Truthful and Full Transparency
DataBreaches continues to believe that we must have legislation to require entities to disclose promptly and more truthfully about breaches so that the victims can decide how best to protect themselves. We need legislation that requires entities to include the following elements:
- When did the entity FIRST become aware of a security incident?
- How did the entity first become aware of the security incident — by internal means, by third parties, or by threat actors themselves?
- When did the entity first realize that any personal information had been accessed by an unauthorized individual or individuals?
- When did the entity first realize that any personal information had been exfiltrated?
- Was any data from the incident leaked or posted for sale on the internet? If so, on what date did it start?
- If the incident was due to a misconfiguration that permitted unintended access: when did that misconfiguration first occur, and what do logs show about IP addresses that accessed the data since the time the data was left exposed?
We also need legislation to require entities to notify victims and regulators promptly if data with personal information is leaked or dumped on the internet. All too often, victims have no idea that their data has been leaked unless they happen to read about it on the internet. Entities should not only alert victims promptly so that they can take steps to protect themselves, but all notification letters involving a cyberattack should be required to include information on whether data were encrypted by threat actors, whether there was any extortion demand, whether the entity had current and usable backups to restore from, and whether the entity paid any extortion demand.
And of course, entities should not be permitted to use weasel words like “your data may have been accessed or acquired” when they know it was. If the entity really cannot determine whether data was accessed or acquired, they need to say that clearly so that victims understand that the entity responsible for protecting their data now has no idea what happened to their data as a result of the incident and they should therefore assume the worst — that it’s been stolen and is at risk of misuse.
Such legislation should also apply to the education sector, which currently has few requirements for entities in the event of a data breach despite collecting and storing personal and identity information, often for decades.
DataBreaches will be submitting a complaint to both the FTC and HHS about entities that submit deceptively written notification letters to victims and regulators and will, of course, continue to follow up on this issue and to promote greater transparency via legislative changes.