Tammy Anthony Baker, executive vice president to New Orleans and South East Information Technology Group, posted to social media Thursday that she discovered 150 gigabytes of "accounting, education, financial, marketing and business" data from Southeastern Louisiana University had been made available by a ransomware group named "BianLian" while checking the "dark web."
"Experience tells me that this data dump is the tip of the iceberg and was leaked possibly as proof of breach," Baker wrote in an email. "The SELU leak is a small dataset of 150GB. I'd estimate SELU's actual quantity of data to be in Terabytes and possibly Petabytes. I'm sure more information will surface in the coming days."
Southeastern took its network offline Feb. 23 in response to the security incident, leaving students and faculty without access to the school's website, email or portal for submitting assignments for nearly four weeks while officials worked with Louisiana State Police to investigate the incident.
"Moments following the initial network incident, our technology staff took steps to help safeguard our data and reported the incident to the appropriate authorities," Southeastern President John Crain wrote in the university's last public statement on the matter, dated March 15.
Southeastern declined to comment Friday on the potential data leak, while Louisiana State Police and Tangipahoa Homeland Security, which are investigating the breach, did not respond to requests for comment.
Michael Richmond, director of cybersecurity and technology services at Postlethwaite & Netterville cybersecurity firm, said Baker's post was "legitimate and verified through several of our cyber threat intelligence sources."
Richmond explained that ransomware groups sometimes release portions of data to dark websites when ransom demands have not been met, and will offer to remove public access only after ransom payments have been made — meaning the total amount of data stolen could be larger than what's currently visible online.
Richmond said the attack was "predictable and follows the current cyber threat playbook."
"Once data is published and the organization is aware, this would start the clock ticking for notification [to impacted individuals] as there is no longer plausible deniability that data has been compromised and should warrant a response from the university as to the nature and scope of the data stolen and the user population affected," Richmond wrote in an email.
The university said in a statement March 6 that officials would notify impacted individuals as soon as possible; state law requires agencies notify those affected within 60 days of discovery of the breach unless doing so would impede criminal investigations.
The school also advised students and faculty in a university blog post to change all their passwords, turn on multi-factor authentication, update their software and contact their credit bureaus to review their credit report for suspicious activity or freeze their credit if necessary.
WHAT'S IN THE DATA?
Among the files made available in the leaked dataset included a document titled "Passwords and logins," which contained login information for social media accounts and public databases belonging to two Southeastern employees.
"Obviously, basic cybersecurity hygiene practices are not being followed," Baker said. "Never should credentials be shared nor should they be stored in plain text documents like Word or Excel files."
Cybersecurity attacks aren't a new problem in higher education, though attacks in Louisiana have spiked recently — two weeks ago, another outage took place across five higher ed institutions: University of New Orleans, River Parishes Community College, Southern University at Shreveport, LSU Agricultural Center and Nunez Community College in Chalmette.
Those outages caused significantly fewer problems than Southeastern's, though some institutions were hit harder than others — while the LSU Agricultural Center had its network back to normal within the weekend, Southern University at Shreveport held its classes virtually for a week while IT worked to restore campus Internet.
Last November, Xavier University experienced a ransomware attack of its own, supposedly by a group called "Vice Society," causing student and faculty data to be stolen — bringing the total number of attacks at Louisiana colleges to seven within four months.
Even seven weeks after the Southeastern attack, some members of the campus community continue to feel the effects of the outage. Dayne Sherman, a professor and coordinator of user education for the library, said many of the wired computers remain inaccessible for students. He also said wireless Internet connection continues to be "spotty."
"You can walk around campus and go to every lab and see that the keyboards are pulled up and students can't use them," Sherman said.
A spokesman for Southeastern said "nearly all labs and most wired computers" were functional, and that Wi-Fi access was available across campus.
Sherman said he's been concerned by the lack of transparency from the president regarding the attack, and that thus far he personally hasn't heard of anyone receiving a notice of breach.
"What's been unconscionable has been the bad communication, not being forthright, not coming clean," Sherman said. "They've never admitted it was a hack. No one knows what's going on, but we're not stupid. I'm not shocked by [the leaked data], but I am horrified."
©2023 The Advocate, Baton Rouge, La. Distributed by Tribune Content Agency, LLC.
