Personal information of thousands of current and former Heartland Community College students and staff has been posted on an unsavory section of the internet, putting them at risk of identity theft.
Letisha Trepac, HCC's vice president of finance and administration, said the exposure is part of the fallout from an Oct. 5 attack on campus computer systems that crashed more than 120 servers at the college.
The attack began in the small hours of the night and bloomed into a cascade of systems failures just as the campus was starting morning business. The cyberattack encrypted some systems beyond recovery. Investigators think it was undertaken by a group of criminals who issued a ransom demand for return of access to the data through an encryption key, pending payment.
At the time of the incident, Heartland said publicly it did not have evidence that personal data was stolen, merely encrypted and taken hostage. That changed when one of the security firms Heartland hired found personal data of people associated with Heartland posted on the dark web.
The dark web is a section of the internet not indexed by search engines and only accessible through a specialized browser used to keep information anonymous. It is sometimes used to buy and sell illicitly obtained information.
The consulting firm, TetraDefense, investigated further and in December, Heartland sent out a letter to 1,658 current and former staff and students notifying them their data might have been exposed, according to a Heartland spokesperson.
In late March, a second round of letters went to 3,983 people informing them the attackers had indeed stolen their data. Some people received both letters, said HCC spokesperson Steve Fast. In all, nearly 3,900 separate individuals were sent letters.
“We discovered that documents containing your full name, Social Security number, and financial account information were removed from our network and posted on the dark web in connection with this incident,” said one of the letters.
Heartland has offered those affected a one-year membership in Experian IdentityWorks Credit 3B, a monitoring tool to help detect identity theft and resolve related issues.
It depends on what information was accessed, but individuals can take a number of steps. Diligent credit monitoring is key for some individuals, said Trepac.
Heartland officials urged those who received the letters to take them seriously.
“I want to stress that the letters are genuine,” said Fast. “The information giving a contact in Pennsylvania is legitimate.”
IdentityWorks charges a monthly fee of $19.99 with the first month free, according to its advertisements. That would place the retail value of the service Heartland is providing for those whose data is compromised at about $858,000. Trepac said the cost will be borne by Heartland’s insurance carrier.
Heartland told those affected that, to date, the college is not aware of any reports of identity fraud as a direct result of the incident. But data leaks in the wild can be sold and resold for years. That raises the question whether a one-year subscription to the service is enough help.
“The question of sufficiency in general is a very good question in these unfortunate incidents. They are increasing in number for all business sectors. I think everyone should take any reasonable steps to protect their own identity. I know we are doing whatever we can as a college to assist in that as well,” said Trepac.
In the March letter, Heartland said it concluded its document review Feb. 26. But Trepac said that might not be the last word.
“As this is an ongoing investigation, anytime we receive new information we take necessary measures. Since the initial stages of the investigation, additional information was learned, which prompted us to take action,” said Trepac.
The encryption and ransom scheme halted campus operations for more than a week and disrupted the ordinary course of business for some sections of Heartland for months. Even now, some minor systems have not been replaced, including one in-house tool for budget analysis, said Trepac.
There's no subscription fee to listen or read our stories. Everyone can access this essential public service thanks to community support. Donate now, and help fund your public media.