Editor's Note: The DePauw is an independently financed newspaper. Letter to the Editor reflect the thoughts and opinions of the author, and not necessarily those of The DePauw staff or editors. Letter to the Editor may be emailed to tdpnewspapered@depauw.edu. The DePauw reserves the right to refuse Letters to the Editor at the discretion of The DePauw advisors and Editor in Chief.
During the February 5, 2024 regularly scheduled meeting, DePauw University faculty supported a motion calling on the university administration to provide a “full, accurate and timely accounting of the Fall 2023 data breach.” On February 28, the Office of the President issued a response to the motion.
Kudos to university administrators for issuing a timely response to the faculty’s request. That said, any suggestion that the two-page, single-spaced response provides a full or accurate account of the cyberattack strains credulity.There are (at least) five things the “official story” of last semester’s cyberattack gets wrong.
1. Despite published reports, including a story first reported by WGRE and later published
in The DePauw, the administration refuses to name the “sophisticated criminals” who
perpetrated the attack. Nor does the administration’s response suggest the motivation
behind the data breach.
But in a news report published on December 4, 2023 in The Record, a leading
cybersecurity publication, readers learned that “the Black Suit ransomware gang said it
was behind the attack.” It’s unclear why the administration refuses to “name names,”
let alone acknowledge that the “cybersecurity incident” was in fact a ransomware
attack. At minimum, the administration should confirm this reporting.
2. According to the official story, “the investigation revealed a limited amount of data on
specific individuals was accessed.” Begging the question: How much data are we talking
about? And who’s personally identifying information (PII) was stolen?
The Record reports that Black Suit claims “to have stolen 214 GB of data.” By any
reasonable standard, describing that as “a limited amount of data” is putting it mildly.
As for the “specific individuals” affected by the hack, we still have no clear idea.
Anecdotally, I don’t know of any faculty member who wasn’t “notified via U.S. mail with
a letter that shared the types of information potentially at risk.”
3. In the interest of transparency, the administration prepared this report for the faculty.
Long on platitudes, but short on specifics, the official story contends that university
administrators “were and are bound by legal restrictions regarding what we can share.”
Fair enough. But what precisely are those legal restrictions? The official story fails to cite
statutes that prohibit crime victims from sharing such information. Without putting too
fine a point on it, public revelations about the details of all sorts of crime are
commonplace. Absent that sort of detail, the administration appears to be using
unspecified “legal restrictions” as a fig leaf to avoid providing relevant information to
the university community.
4. The official story rehashes much of what we already know about the “cybersecurity
incident” – that’s a ransomware attack to you and me. For instance, we’re reminded of
the various work arounds used to provide internet access last fall. All well and good, but
this is common knowledge. The administration’s report is replete with references to
third-parties, including federal investigators, forensic analysts, and insurance providers.
Nowhere in the report are these organizations named.
In the interest of shared governance, faculty have the right to know who has been hired
– and at what cost – to investigate the crime and ensure greater protections moving
forward. In a footnote, we’re told that the university’s “current insurance policy has a
$25,000 deductible and $1 million for coverage for cyber incidents.” No mention of the
insurance provider’s identity, or what impact this cyberattack has on future costs of
insurance.
5. The motion explicitly requested that “the administration report back to faculty about
what factors contributed to the data breach and how this will be addressed in the
future.” It was and remains a reasonable request. However, the official story fails to
identify what factors and conditions led to last fall’s cyberattack.
Indeed, for all of the investigations conducted during and after the data breach, there’s
precious little detail in the administration’s official story. Begging the question: What did
the forensic analysis reveal? Surely, the investigations offer some insight into how the
hackers accessed the university’s IT system. These same investigations likely reveal
weaknesses (e.g., deferred maintenance, overextended IT staff) the Black Suit gang
exploited. This is the sort of detail that university stakeholders have every right to know.
In short, the official story raises more questions than it answers. Moreover, it is indicative of the university’s tendency to downplay inconvenient truths and circumvent shared governance in the name of administrative expedience.
Submitted by Dr. Kevin Howley, DePauw Professor of Media Studies.