Student information was kept safe after Valley suffers a cyber attack that may to cost more than $250,000
By D.R. Harward, Staff Writer
Student information remained safe during a recent password-focused attack that installed ransomware—paralyzing the campus network until a large ransom was paid. The password policy at Valley College underwent review and was updated, while the ultimate cost of recovery is expected to exceed $250,000.
Over the Christmas break the computer system at Valley was hacked and access was held for ransom ; a $28,000 ransom was paid and the Valley I.T. Department has worked feverishly to get all of the affected computers back online.
The Los Angeles Community College District brought in cyber-security experts, Crypsis, who determined that the school had been subjected to a “brute-force attack;” a type of hacking method that is dependent upon simple passwords.
According to Valley College President, Erika Endrijonas: “ This was not from an email, this was not somebody just randomly clicking on an email. This is what is called a brute-force attack and it went through one of our servers.”
Attacks of this type often involve exotic software to guess the passwords of a targeted system. Weak passwords are the most susceptible to these types of attacks and those used at Valley did not to fit in with modern security standards.
Prior to the attack, the LACCD password policy was not enforced, each college essentially created its own policy, leaving a patchwork of practices across the nine campuses in the district.
Valley I.T. Manager Hanh Tran said that prior to the attack, administrative passwords were only required to be up to eight digits long. According to Tran, a new stricter password policy has been implemented across all LACCD campuses that requires a minimum of eight characters and must include numbers and special characters. Passwords will expire every 90 days and cannot be reused.
Tran said that only the email and website servers had been exposed to the hackers—the Student Information System, which contains sensitive personal information about students and staff, is not kept on-site and therefore had not been available for the intruders to exploit.
“It was confirmed…no data collection had occurred.” Tran reported.
Virtual extortion has gone viral in the 21st century, costing companies over $400 billion last year according to insurer Lloyd’s of London. The F.B.I. has stated that ransomware has become a significant threat to U.S. businesses and that the number of victims has grown substantially in the last three years.
According to the F.B.I , the initiation of an attack typically occurs when someone clicks on an infected advertisement, e-mail attachment or visits a compromised website. The ransomware then proceeds to encrypt important files and documents, rendering them unreadable unless a ransom is paid.
The ransom that Valley paid was 28 bitcoins, the equivalent of $28,000 according to college administrators. Even though they had an insurance policy the District will bear the brunt of the expense. Endrijonas explained:
“Well, there’s a $250,000 deductible on the insurance policy, by the time we finish this we will have exceeded the $250,000, so at some point they (the insurance company) kick in…between doing new servers, and the human capital we’d need and the specialists we’d need and all that.”
She went on to clarify that the expenditures associated with the attack were coming out of the LACCD budget and that Valleys’ budget would not be impacted.
Solomon Smith contributed to this story.