AlphaV claims attack on Florida International University (updated)

It’s been a while since reported on data security incident involving Florida International University in Miami, but if AlphaV’s claims are true, they have been breached again.

AlphaV (“BlackCat”) added FIU to their leak site and claim:

In our design the following information:
-Personal information of students and teaching staff, including confidential data, SSN, contacts and more
-Contracts, financial and accounting documents
-SQL Databases
-Email Databases

1.2 TB of Data and 300 GB SQL

But there is nothing in their very limited proof of claim that discloses personal or sensitive information or proves that they exfiltrated it.

SuspectFile has an interesting write-up on this, noting that FIU was also impacted by the big Blackbaud ransomware attack in early 2020. They report having sent an email inquiry to FIU about AlphaV’s claims, but have yet to receive any response.

FIU’s Response

On April 9, ABC News reported that FIU had notified students and staff about the AlphaV incident. Their report seems somewhat contradictory, though:

University officials on Saturday notified students and staff that a ransomware group got a hold of sensitive data.

Officials said they are investigating.

In the message sent by the university, officials wrote, “There is no indication thus far that sensitive information has been compromised.”

If threat actors “got hold of” sensitive data, then it was compromised. So what, exactly, did FIU write to students and faculty? sent an email inquiry to FIU, who provided a copy of the statement they sent out on April 8:

April 8, 2022

Dear members of the university community,

Today, a ransomware group posted that sensitive FIU data had been exfiltrated. We have been investigating and there is no indication thus far that sensitive information has been compromised. At this time, no further information is available.

That sounds like they are saying that they had not found any evidence of exfiltration, but it’s still not really clear, so DataBreaches requested clarification:

So when FIU said there was no indication that sensitive info has been
*compromised,* was FIU stating that there was no indication so far that sensitive info has been *exfiltrated?*

Or did the statement mean that there was indication that sensitive info had been exfiltrated but it had not been compromised?

No reply was immediately forthcoming, but DataBreaches will update this post when clarification is received. (UPDATE: A reply was received on April 12. It is posted under the original article, below).

Past Incidents

The Blackbaud incident discussed by SuspectFile impacted FIU’s data, but was not an attack on FIU’s system. FIU has had other incidents that did involve their system, however. Looking through this site’s archives:

  • In 2010, reported that FIU was notifying students and faculty about an unsecured database that exposed information such as GPAs, test scores, and social security numbers of more than 19,000 students as well as the social security numbers of 88 faculty members.
  • In 2015, pointed to news coverage in Florida that Team Ghost Shell had breached a number of Florida universities, allegedly including FIU’s Health Department. At that time, FIU reportedly confirmed The Herbert Wertheim College of Medicine website was hacked, but claimed that there was no sensitive information available on that website.
  • In 2016, reported on a claimed hack of FIU’s system, but despite repeated attempts at notification and inquiry, DataBreaches received no reply from FIU. In that incident, a paste contained 160 addresses with passwords in one part of the data dump, and another section of the dump included first and last names, usernames, encrypted passwords, and email addresses.

Some might argue that given how many attacks there are on the education sector, a handful of incidents in more than a decade is not that bad for a highly-ranked university that has tried to become a hub of cybersecurity research. It’s an argument that would not be without some merit, especially since DataBreaches is not currently aware of any successful attacks on their system since 2016.

Statement from FIU, April 12, 2022

Media Statement from Florida International University on Cybersecurity Incident

Florida International University (FIU) recently became aware of a security
incident involving ransomware that affected some systems at the university. We immediately started an investigation, informed law enforcement and engaged third party professionals to assist in the investigation of the incident. On Friday, April 8, 2022, we made our university community aware of a ransomware group’s claims that sensitive FIU data was exfiltrated and our efforts to investigate.

This investigation is ongoing, and we are working diligently with our partners to gain a complete understanding of the incident – including what type of data was stored on the server and may be at risk. At this time, we do not believe that any financial information, social security numbers, or information on student performance was stored on the impacted server.

Importantly, this incident has not impacted the education process -students and researchers are continuing their work, uninterrupted. We are committed to keeping all relevant parties informed throughout the process and will continue to provide updates as necessary.

About the author: Dissent

Comments are closed.