According to its website, Grand Valley State University (GVSU) in Michigan currently has 19,239 undergraduate students and 3,027 graduate students. The university offers 141 undergraduate and graduate degrees and employs 1,760 faculty members and 2,050 support staff members. Almost all of their students get some kind of financial aid. Those are some commendable statistics.
But will those statistics be remembered or will their students and employees be more likely to remember that in May, GVSU experienced a ransomware attack by Vice Society and some of their personal data wound up leaked on the internet?
On June 14, the Vice Society ransomware group added GVSU to their leak site. Departing from what has been their usual habit for a while now, Vice Society did not immediately just dump the data from their victim. Instead, they simply listed GVSU and provided a prominent countdown clock showing how much time was left until Vice Society would leak GVSU’s data if their ransom demands were not met. The clock was set to leak the data on June 18.
On June 14, DataBreaches emailed GVSU to inquire about the incident. Other than an autoresponder that a ticket had been opened, there was never any response — despite the fact that reminders and additional requests were sent to the IT Department and to multiple named individuals on June 14, June 16, and then again on June 18 (after data had been leaked).
To be clear: the leak itself is not the worst leak DataBreaches has ever seen in terms of exposing student or employee data. A lot of the leaked files were somewhat innocuous and appeared to relate to assignments. DataBreaches did not spot any major databases like student financial aid records or employee payroll or HR databases. Nor did DataBreaches spot any any databases with Social Security numbers of students or employees (some files have SSN as part of their filenames, but no SSNs were in the data). The most concerning files, perhaps, were the passports and identity documents for several dozen people.
Getting no reply from GVSU, DataBreaches reached out this week to a former graduate student at GVSU via Facebook messenger. We had spotted a number of identity documents for this individual in the leak, and we asked him if GVSU had alerted him that his identity info is freely available online at this point. No reply has been received, but we hope he will follow up on our message so that he can protect himself.
Although GVSU has ignored repeated inquiries, Vice Society did reply to this site’s questions. Via email, they informed DataBreaches that they first gained access to GVSU’s system on May 24. Although they did not reveal how they gained access, they commented that gaining access was “easy enough.”
The spokesperson also estimated that more than 90% of GVSU’s system wound up encrypted — including GVSU’s backups. [Note that DataBreaches is reporting Vice Society’s statements, but their claims have neither been confirmed nor refuted by GVSU.]
When asked whether the university negotiated with them at all about their ransom demand, the spokesperson responded that they negotiated for about 9 days. “They offered 75k, then 150k, then they stopped talking.” The spokesperson indicated that they had asked more than $150,000 but would not reveal the amount they had demanded.
DataBreaches has been reporting on education sector breaches for a number of years now, and took the opportunity to ask Vice whether in their experience, school districts or universities were getting any better at preventing attacks, or if the education sector is still a walk in the park for them.
“You know… some are still unprotected at all, some are protected well,” their spokesperson replied, adding, “We can still attack most networks of education sector.”
Sadly, DataBreaches has no reason to doubt that claim.
If anyone has seen any statement from GVSU about this incident or has actually received any individual notification, please let us know by email to breaches[at]databreaches.net.
Chum1ng0 assisted in researching this incident.