Cybersecurity Can Be Expensive
by lg0p89
Cybersecurity tends to be expensive. Staffing (i.e., quality, experienced staff) is not cheap, especially with the shortage from the numbers needed. The delta between supply and demand continues to grow. The tooling continues to grow in complexity and cost. Depending on the use case, the business may even need more than one tool to cover all the required areas, even if there is a slight redundancy.
When there's an issue, aka compromise, there tends to be an uptick in costs. These can come from various sources, including new cybersecurity tooling, hardware, third-party forensic teams, and everything else.
For the third strike, there can be costs much later. The compromise could be caused by the infamous click-happy user, or better yet the user who receives a call from someone in IT asking to remote login into their system. In other cases, pen-tests had been done with some vulnerabilities being found over and over. With the latter case - and when there is a serious lack of security controls - there can be fines.
This was also the case with Lewis & Clark College in Portland, Oregon. This is a private liberal arts college and has three primary schools (College of Arts & Sciences, Graduate School of Education and Counseling, and the School of Law). There are approximately 2100 undergraduate and 1400 graduate students. The costs for the compromise were direct and indirect. The direct costs are the immediate costs after the compromise that can be directly attributed to the issue. These are all the people working extra/overtime, the extra tooling for present vendors, new tools that should have been purchased three years ago, and contracted parties to assist with the remediation and forensic work. What's generally overlooked are the indirect costs. Lewis & Clark College is finding this out the hard way with a class action lawsuit based on the compromise.
Background
A compromise of this nature, depth, and magnitude doesn't happen every week.
On or about February 28, 2023 the college experienced a cybersecurity incident. The adversary was able to compromise the perimeter and network security and accessed the crown jewels, here the college's data. Once the issue was detected, the college started sending urgent messages on social media and posting other messages on their website stating their systems were down, which started March 3rd. The systems affected included Workday, Google Workspace, Box, Moodle, GoAnywhere, Classroom Technologies, and others. This lasted until March 7th.
Post Incident
The IT operations certainly became busy when the hints of the compromise surfaced.
Once the full scope of the compromise began to show, the college worked towards securing the network, along with other actions to mitigate the attack's effects. The college also engaged third-party cybersecurity professionals for their forensic work.
Once the forensic team had access to the systems and logs, they were able to confirm the data which had been exfiltrated by the adversaries. While they did have the data, there was no evidence yet that the data had been maliciously leveraged. That doesn't mean it won't happen. They were able to determine if the accessed files did have Personally Identifiable Information (PII) or Personal Health Information (PHI).
Due to this, the college did complete the notification on March 22nd with notification letters to each person potentially affected by the breach. In particular, the data included the affected person's name, date of birth, Social Security Number (SSN), driver's license number, state identification number (if applicable), passport information, financial account information, medical information, health insurance information, and college unique identifier. This is quite the list of items. I'd describe this as a plethora of data points useful in so many ways. Identity theft would be easy with this in hand.
The Other Shoe
The successful attack was serious enough and widespread enough that it affected not only the data but also finance, operations, classroom activities, and most other aspects of the college. Approximately a year later, the other shoe dropped and the college received more bad news.
Console & Associates began the investigation into filing a class action lawsuit against Lewis & Clark College due to the compromise and its effects. They are "eager to speak to victims..." Anyone who receives the Notice of Data Breach can be part of the lawsuit.
A former employee of Lewis & Clark College was the plaintiff for the class action suit against the college. A basis for the suit is that the school did not take adequate safety measures and precautions to protect the students' and employees' data. The class action lawsuit alleges the college acted negligently in protecting the data. The suit also alleges a breach of implied contract and a violation of Oregon's Unlawful Trade Practices Act. While this is filed, the court still must certify it as a class action.
This is probably not going to be cheap. The college is going to pay attorneys and paralegals throughout the legal process. There will also be the amount the court will assess the college if found they acted negligently. This isn't going to be a short and quick case. The investigation alone will take a massive amount of time, which translates into a large legal expense.
Oh, and by the way, there will be hours of witness preparation to pay for.